Security + CH8

Definition of Authentication (in two contexts)
. as it relates to access control 2. as one of the three key elements of security—authentication, authorization, and accounting
Authentication, Authorization, and Accounting (AAA)
three key elements in security, makes it possible to determine who the user is, what the user can do, and what the user did to help control access to network resources, enforce security polices, and audit usage
provides a way of identifying a user, typically by having them enter a valid password before granting access
the process that determines whether the user has the authority to carry out certain tasks, often defined as the process of enforcing policies
measures the resources a user "consumes" during each network session
AAA servers
Servers dedicated to performing AAA functions, can provide significant advantages in a network
One-Time Passwords
Dynamic passwords that change frequently
typically a small device with a window display
Challenge-based OTPs
Authentication server displays a challenge (a random number) to the user
Standard biometrics
Uses a person's unique characteristics for authentication (what he is)
Two Types of fingerprint scanners
Static and dynamic
Static fingerprint scanner
requires the user to place the entire thumb or finger on a small oval window on the scanner
Dynamic fingerprint scanner
requires the user to swipe a finger across the opening or slit
Behavioral biometrics
Authenticates by normal actions that the user performs
Keystroke dynamics
Attempt to recognize a user's unique typing rhythm
Keystroke dynamics uses two unique typing variables
dwell and flight time
Dwell time
the time it takes for a key to be pressed and then released
Flight time
the time it takes between keystrokes
Voice recognition
Used to authenticate users based on the unique characteristics of a person's voice
Phonetic cadence
Speaking two words together in a way that one word "bleeds" into the next word, becomes part of each user's speech pattern
Computer footprint
When and from where a user normally accesses a system
Cognitive biometrics
Related to the perception, thought process, and understanding of the user
Authentication credentials
one-time passwords, standard biometrics, behavioral biometrics, voice recognition, computer footprints, cognitive biometrics
Authentication Models
single and multi-factor authentication, single sign-on, windows live ID, Windows Cardspace, OpenID
One-factor authentication
Using only one authentication credential
Two-factor authentication
Enhances security, particularly if different types of authentication methods are used
Three-factor authentication
Requires that a user present three different types of authentication credentials
Single sign-on
using one authentication to access multiple accounts or applications
Federated identity management (FIM)
When those networks are owned by different organizations
Identity management
Using a single authenticated ID to be shared across multiple networks
Windows Live ID
Originally introduced in 1999 as .NET Passport, requires a user to create a standard username and password
Windows CardSpace
Feature of Windows that is intended to provide users with control of their digital identities while helping them to manage privacy
A decentralized open source FIM that does not require specific software to be installed on the desktop
The most common type of authentication and AAA servers
RADIUS, Kerberos, TACACS+, and generic servers built on the Lightweight Directory Access Protocol (LDAP)
RADIUS (Remote Authentication Dial in User Service)
an authentication server for high volume service control applications
An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users
Kerberos process
User is provided a ticket that is issued by the Kerberos authentication server, The user presents this ticket to the network for a service, The service then examines the ticket to verify the identity of the user
Terminal Access Control Access Control System (TACACS+)
An industry standard protocol specification that forwards username and password information to a centralized server
Lightweight Directory Access Protocol (LDAP)
a simpler subset of the Directory Access Protocol
Directory Service
A database stored on the network itself that contains information about users and network devices
A standard for directory services, created by ISO
White-pages service
Capability to look up information by name
Yellow-pages service
Browse and search for information by category
Directory information base (DIB)
the repository in which X.500 information is held
Directory information tree (DIT)
the tree structure of a directory information base
Directory Access Protocol (DAP)
the X.500 standard that defines a protocol for a client application to access the X.500 dirctory
LDAP is an ____ protocol
Extended Authentication Protocols (EAP)
Management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server
The EAP protocols can be divided into three categories
Authentication legacy protocols, EAP weak protocols, and EAP strong protocols
Authentication Legacy Protocols
protocols no longer extensively used for authentication
Three authentication legacy protocols
Password Authentication Protocol (PAP)
one of the earliest, basic protocol that was used to authenticate a user to a remote access server or to an Internet server provider (ISP) and transmit unencrypted passwords in clear text
Challenge-Handshake Authentication Protocol (CHAP)
three-way handshake. Both the device and the authenticator share a secret key
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
the Microsoft implementation of CHAP (2 versions), provides a method for changing passwords and retrying in the event of a failure
EAP weak protocols
Extended Authentication Protocol-MD5 (EAP-MD5)
allows a RADIUS server to authenticate devices stations by verifying a hash known as MD5 of each user's password
Lightweight EAP (LEAP)
requires mutual authentication and delivering keys used for WLAN encryption using CISCO clients
EAP strong protocols
EAP with Transport Layer Security (EAP-TLS)
requires the device and RADIUS server prove their identities to each other by using enhanced security (known as public key cryptography using digital certificates)
EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)
designed to simplify the deployment of 802.1x. Both use Windows logins and passwords.
more flexible scheme because it creates an encrypted channel between the client and the authentication server
Managing remote authentication and security usually includes:
Using remote access services, Installing a virtual private network, Maintaining a consistent remote access policy
Remote Access Services (RAS)
Any combination of hardware and software that enables access to remote users to a local internal network. Provides remote users with the same access and functionality as local users
Virtual private network (VPN)
One of the most common types of RAS, uses an unsecured public network, such as the Internet, as if it were a secure private network
Common types of VPNs
Remote-access VPN or virtual private dial-up network (VPDN)
a user-to-LAN virtual private network connection used by remote users
Site-to-site VPN
a virtual private network in which multiple sites can connection to other sites over the internet
end of the tunnel between VPN devices
VPN concentrator
Aggregates hundreds or thousands of multiple connections
Advantages of VPN technology
Cost savings, Scalability, full protection, Speed, Transparency, Authentication, Industry standards
Disadvantages to VPN technology
Management, Availability and performance, Interoperability, Additional protocols, Performance impact, Expense