• Click to edit Master subtitle style

Chapter 13: Authentication andAccess ControlInstructor:

Chapter 13 Objectives• The Following CompTIA Network+ Exam Objectives

Are Covered in This Chapter:

5.2 Explain the methods of network access security.• ACL:

– MAC filtering– IP filtering– Port filtering

• Tunneling and encryption:– SSL VPN– VPN– L2TP– PPTP– IPSec– ISAKMP– TLS– TLS1.2– Site-to-site and client-to-site

2

Chapter 13 Objectives (Cont)

5.2 Explain the methods of network access security.• Remote access:

– RAS– RDP– PPPoE– PPP– ICA– SSH

5.3 Explain methods of user authentication.

• PKI– Kerberos

– AAA (RADIUS, TACACS+)

– Network access control (802.1x, posture assessment)

– CHAP

– MS-CHAP

– EAP

– Two-factor authentication

– Multifactor authentication

– Single sign-on3

Security Filtering

4

How do we know who’s really at the other end of our connections?

The answer to the question may seem simple enough because the computer or person on the other end of the connection has to identify him/her/itself, right?

Wrong!

That’s just not good enough, because people—especially hackers—lie!

The first line of defense is called security filtering, which broadly refers to ways to let people securely access your resources.

Access Control Lists (ACLs)

5

• Firewalls are tools implemented to prevent unauthorized users from gaining access to your private network.

• Firewalls can either be stand-alone devices or combined with another hardware device like a server or a router.

• Firewalls can use a lot of various technologies to restrict information flow; the primary method is known as an access control list (ACL).

• ACLs typically reside on routers to determine which devices are allowed to access them based on the requesting device’s Internet Protocol (IP) address.

Tunneling

6

• Tunneling is a concept which means encapsulating one protocol within another to ensure that a transmission is secure.

• Here’s an example: The lion’s share of us use IP, known as a payload protocol, which can be encapsulated within a delivery protocol like Internet Protocol Security (IPSec). If you took a look at each packet individually, you would see that they’re encrypted.

Tunneling Protocols

7

• There are several tunneling protocols implemented you need to be familiar with:

– Virtual Private Network (VPN)– Secure Sockets Layer (SSL)– Secure Sockets Layer Virtual Private Network (SSL VPN)– Layer 2 Tunneling Protocol (L2TP)– Point to Point Tunneling Protocol (PPTP)– Internet Protocol Security (IPSec)Section

Virtual Private Network (VPN)

8

Use a VPN is so a host can traverse an insecure network (Internet) and become local to the remote network

Virtual Private Network (VPN)

9

• Remote access VPNs– Remote access VPNs allow remote users like

telecommuters to securely access the corporate network wherever and whenever they need to.

• Site-to-site VPNs– Site-to-site VPNs, or intranet VPNs, allow a company to

connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like frame relay.

• Extranet VPNs– Extranet VPNs allow an organization’s suppliers,

partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.

Use a VPN is so a host can traverse an insecure network (Internet) and become local to the remote network

SSL and SSL VPN

10

The SSL connection process

• Secure Sockets Layer (SSL). This security protocol was developed by Netscape to work with its browser. It’s based on Rivest, Shamir, and Adleman (RSA) public-key encryption and used to enable secure Session-layer connections over the Internet between a web browser and a web server.

•An SSL VPN is really the process of using SSL to create a Virtual Private Network (VPN).

L2TP and PPTP

11

• L2TP– Layer 2 Tunneling Protocol (L2TP) created by the

Internet Engineering Task Force (IETF), supports non-TCP/IP protocols in VPNs over the Internet.

– L2TP is a combination of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technologies.

• PPTP– Point-to-point Tunneling Protocol was developed jointly

by Microsoft, Lucent Technologies, 3COM, and a few other companies.

– Not sanctioned by the IETF– PPTP acts by combining an unsecured Point-to-Point

Protocol (PPP) session with a secured session using the Generic Routing Encapsulation (GRE) protocol.

IPSec

12

• IPSec works in two modes: transport mode and tunnel mode.

• Transport mode is the simpler of the two; it creates a secure IP connection between two hosts.

• The data is protected by authentication and/or encryption

IP Security (IPSec) was designed by the IETF for providing authentication and encryption over the Internet. It works at the Network layer of the OSI model (Layer 3) and secures all applications that operate in the layers above it.

IPSec – Tunnel Mode

13

• In tunnel mode, the complete packet is encapsulated within IPSec.

• ESP gives us both authentication and encryption.

• Tunnel mode is created between two endpoints, such as two routers or two gateway servers, protecting all traffic that goes through the tunnel

Encryption

14

• Encryption works by running the data (which when encoded is represented as numbers) through a special encryption formula called a key that the designated sending and receiving devices both “know.” When encrypted data arrives at its specified destination, the receiving device uses that key to decode the data back into its original form.

• An encryption key is essentially a table or formula that defines a specific character in the data that translates directly to the key. Encryption keys come in two flavors: public and private.

Encryption Standards

15

Data Encryption Standard (DES)

• IBM developed the most widely used private-key systems: Data Encryption Standard (DES).

– It was made a standard in 1977 by the U.S government.

• DES uses lookup and table functions and works much faster than public-key systems.

• DES uses 56-bit private keys.

Triple Data Encryption Standard (3DES)

• Triple Data Encryption Standard was originally developed in the late 1970s

• The recommended method of implementing DES encryption in 1999.

• 3DES encrypts three times, and it allows us to use one, two, or three separate keys.

• 3DES is slow.

Encryption Standards (Cont)

16

Advanced Encryption Standard (AES)

• The Advanced Encryption Standard (also known as Rijndael) has been the “official” encryption standard in the United States since 2002.

• AES has key lengths of 128, 192, or 256 bits.

• The United States government has determined that 128-bit security is adequate for things like secure transactions and all materials deemed Secret

• All Top Secret information must be encoded using 192- or 256-bit keys.

• The AES standard has proven amazingly difficult to crack.

Public Key Encryption

17

• Public key encryption uses the Diffie-Hellman algorithm employing a public key and a private key to encrypt and decrypt data.

• The sending machine’s public key is used to encrypt a message to the receiving machine

• The receiver decrypts the message with its private key. • If the original sender doesn’t have a public key, the message can still be sent with a

digital certificate, often called a digital ID, which verifies the sender of the message.

Pretty Good Privacy (PGP)

18

• Freely available version of public-key encryption designed to encrypt data for email transmission.

RAS

19

• Remote Access Services (RAS) is not a protocol but refers to the combination of hardware and software required to make a remote-access connection.

• The term was popularized by Microsoft when the company began referring to its Windows NT–based remote-access tools under this name.

– Users would dial in via a modem.

– Be authenticated by the server.

– Asked for their username and password as if they were on the local network.

– Once logged in, users had access to data on the internal network just as if they were logged in locally.

Remote Access

20

RDP

• Remote Desktop Protocol (RDP) allows users to connect to a computer running Microsoft’s Terminal Services. Most Windows-based operating systems include an RDP client

• After establishing a connection, the user sees a terminal window that’s basically a preconfigured window that looks like a Windows or other operating system’s desktop.

PPP

• Point to Point Protocol (PPP) is a Layer 2 protocol that provides authentication, encryption, and compression services to clients logging in remotely.

PPPoE

• Point to Point Protocol over Ethernet (PPPoE) is an extension of PPP. Its purpose is to encapsulate PPP frames within Ethernet frames.

Remote Access

21

ICA• Independent Computing Architecture (ICA) is a protocol

designed by Citrix Systems to provide communication between servers and clients.

• Citrix’s WinFrame uses ICA to allow administrators to set up Windows applications on a Windows-based server and then allow clients with virtually any operating system to access those applications.

SSH• Designed as an alternative to command-based

utilities such as Telnet that transmit requests and responses in clear text

• Creates a secure channel between the devices and provides confidentiality and integrity of the data transmission. It uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.

User Account and Resource Security

22

• Network Resource-Sharing Security Models

– Share-Level Security

– User-Level Security

• Managing User Accounts

– Disabling Accounts

– Setting Up Anonymous Accounts

– Limiting Connections

– Renaming the Maintenance Account

• Managing Passwords– Minimum Length

– Complexity

User-Authentication Methods

23

• Public Key Infrastructure (PKI) is a system that links users to public key that verifies the user’s identity by using a certificate authority (CA).

• The CA as an online entity responsible for validating user IDs and issuing unique identifiers to confirmed individuals to certify that their identity can really be trusted.

Public Key Infrastructure (PKI)

User-Authentication Methods

24

• Kerberos isn’t just a protocol, it’s an entire security system that establishes a user’s identity when they first log on to a system.

• Kerberos employs strong encryption for all transactions and communication.

• Kerberos is readily available and the source code can be freely downloaded from on the Internet.

Kerberos

Authentication, Authorization, and Accounting (AAA)

25

RADIUS

• Although its name implies it, Remote Authentication Dial-In User Service (RADIUS) is not a dial-up server, it’s evolved into more of a verification service.

• RADIUS is an authentication and accounting service used for verifying users over various types of links, including dial-up.

• RADIUS servers are a client-server based authentication and encryption services and maintains user profiles in a central database.

• RADIUS is also used in firewalls to verify the credentials given; if successful, access is granted

Authentication, Authorization, and Accounting (AAA)

26

TACACS+

• The Terminal Access Controller Access-Control System Plus (TACACS+) protocol is an alternative AAA method to RADIUS.

• TACACS+ separates the two authentication and authorization into two profiles (RADIUS uses one profile),.

• TACACS+ utilizes the connection-based TCP protocol (RADIUS uses UDP).

• TACACS+ is considered more stable and secure than RADIUS.

Network Access Control (NAC)

27

• Network Access Control (NAC) is a method of securing network hosts before they’re allowed to access the network.

• NAC is commonly used in implementations in wireless networking, where nodes are often added to and removed from the network freely.

• IEEE 802.1x is one of the most common forms of NAC

Challenge Handshake Authentication Protocol (CHAP)

28

• Challenge Handshake Authentication Protocol (CHAP) is a secure authentication protocol because with CHAP, the username and password never cross the wire. Instead, both the client and server are configured with the same text phrase that’s known as a shared secret.

Other AAA

29

MS-CHAP

• Microsoft has its own variation of CHAP known as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

• Unlike CHAP, which requires the shared secret to be stored locally in clear text, MS-CHAP encrypts the secret locally.

• MS-CHAP version 2 is capable of mutual authentication so that the client can be sure the server is legitimate as well.

Extensible Authentication Protocol (EAP)

• Extensible Authentication Protocol (EAP) is an extension to PPP providing additional authentication methods for remote access clients:

– Smart cards– Certificates– Kerberos– Biometric schemes (retinal scans and fingerprint)

Summary

30

• Summary

• Exam Essentials Section

• Written Labs

• Review Questions