Policy-based Authentication and Authorization:Secure Access to the Network Infrastructure

Jeff HayesAlcatel IND

Overview

A gaping hole in many of today's networks is the weaksecurity surrounding the network devices themselves--therouters, the switches, and the access servers. In all publicnetworks and in some private networks, the networkdevices are shared virtually among different usercommunities. Access to the configuration schemes andcommand lines is most often an “all or nothing”proposition--the network administrator gets either read-only privileges or read / write privileges. In this case,authentication equals authorization. Herein lies theproblem.

Security policies may mandate certain administratorshave read-only capabilities for all device parameters andread / write capabilities for a certain subset of commands.Each administrator may have a unique access profile.Authentication verifies identity. Authorization verifiesprivileges. This paper will address the value of using acentralized provisioned management structure thatdisseminates network policies and administrationprivileges to all the devices that make up the networkinfrastructure.

Authentication

With the mission critical nature of today's LANs,businesses cannot afford to have their data networkscompromised by unauthorized users. Until now, the mainsecurity device or implementation for network access hasbeen the firewall or router-based access control lists.Providing a barrier between untrusted networks (like theInternet) and internal, trusted networks is important but itdoes not end there.

Security experts today warn that while the externalthreat to networks is real, the largest threat often comesfrom inside the company. Authentication of internal usershas long been established as the primary security devicefor file servers, network operating systems, andmainframes. There are also authentication requirementsfor routing tables (RIP, OSPF, BGP4), switch ports,router and switch configuration files, and web servers, toname but a few.

Traditional authentication--userID and passwordsubmitted in clear text--are typically not adequate formost security policies. People tend to use simplepasswords or write them down in view of a potentialperpetrator. Passwords can be stolen, sniffed, guessed,

attacked via freeware dictionary tools or brute forceattacks, compromised though insecure password files, andobtained through social engineering. Some passwordsnever expire. Some expire every 60 to 90 days withoutallowing the user to reuse an old password. Some areshort, simple alpha characters only. Others are acombination of alpha, numeric, and special characters.Some password files are stored in clear text; others areencrypted. Many are transmitted in cleartext; others ascipher text. Whatever the method, some identification isbetter than none.

An area often overlooked is the authenticationassociated with the network infrastructure--the routers,switches, and access servers. The same issues associatedwith network operating systems and user applicationshave bearing in the infrastructure. Some methods arestrong while other are weak. The idea presented here is todistribute device and user authentication to these devicesto a standalone authentication server, as opposed tostoring the information on each device independently.

For the past decade, the IT industry has seen anevolution in authentication techniques. Though most usersrely on a user ID and password to establish their identity,more reliable authentication schemes involve multiplefactors, insuring a great chance of accurate identification.These factors include:

Something you are, a biometric characteristic that isunique to every human. Fingerprints, hand prints, faces,retinas, voices, and keystroke timing can all be tied to aunique individual.

Something you know, the user ID and passwordmethod. It is currently the most widely used form ofidentification.

Something you possess, which typically involvesexternal security devices including banking / ATM cards,tokens, and smart cards.

Advanced multiple-factor authentication techniquesare needed to provide assurance that the user desiringconnectivity is who she claims to be. There are a numberof key methods for implementing this level ofauthentication.

One-time password schemes provide authenticationover unsecured networks. The schemes can be based onone of two systems: 1) passwords stored both on a clientdevice and on a central server; or 2) passwords kept on acentral system and requested on demand by users.Because each password is only used once, most are sentin clear, unencrypted text, for example SASL methodslike S/KEY.

Time-based passwords are based on both a passwordand an external security device. Users desiring accesspossess a hand-held device or token. When prompted tolog in they identify themselves with an ID and a one-timepassword that is displayed on the token. The resultingpassword is a combination of a PIN and the numbergenerated by the device's LCD. The users' temporaryLCD number is synchronized with a centralauthentication server. If they match, the user isauthenticated. An example is an RSA' SecurID token andACE/Server.

Challenge and response systems are also two-factorauthentication systems that leverage hand-held devices.The initial login request causes the authentication serverto generate a random numeric challenge. Users unlocktheir hand-held device by punching in a PIN on the card'skeypad. Users enter the challenge into the card as it wasreceived. The card uses a known algorithm, like DataEncryption Standard (DES), to calculate and display theresponse to the challenge. Users enter the card's responseto complete the login process. CRAM is the commontechnology used for this.

Smart cards are similar to the aforementioned tokensystems but contain more intelligence and processingpower--small microprocessors with embedded encryption.Smart cards communicate directly with the authenticationserver through a card reader. Users provide the initial PINand the card does the rest--exchanges keys and agrees onthe encryption algorithms to be used.

These authentication technologies are typicallycomplemented by services and / or servers that facilityuser profile management. The following authenticationservices add the element of authorization to theauthorization process, something not provided by theabove solutions.

Remote Access Dial In User Service (RADIUS)systems use a client or agent to facilitate users' loginrequests. The client passes the information to a RADIUSserver, which authenticates the user. All communicationbetween the client and server is authenticated and not sentin clear text. Servers can support a variety ofauthentication methods including PAP, CHAP, UNIXlogin, time-based tokens, and challenge / responsesystems. RADIUS is widely used by ISPs and other dial-up applications. RADIUS is also being used for userauthentication, authorization, and accounting beyond dial-up applications, including LAN-based applications. Assuch, a new standard known as DIAMETER is beingproposed that attempts to expand on RADIUS' knownshortcomings, resulting in a broader protocol.

X.500 Directory Servers with X.509 using eithersimple (passwords) or strong (public-key) authenticationaccessible via the Lightweight Directory Access Protocol(LDAP) are becoming a critical information repository forend user profiles. Most of X.509 security elements areprovided by RSA's Public Key Cryptography Standards(PKCS), although other methods exist. As networkadministrators see the value of minimizing the number ofdirectories, there will be a move to consolidate directoriesand / or to utilize the meta-directory concept. The BurtonGroup defines a meta-directory service as being a class ofenterprise directory tools that integrate existing, or"disconnected," directories by addressing both thetechnical and political problems inherent in any large-scale directory integration project. A big challenge albeita worthy one.

Kerberos is a strong, single sign-on authenticationsystem with a goal of validating a principal's identity. Aprincipal can be a client, a program, or a service. For eachservice a client needs, a server generates a ticket for thatclient / server session. Each ticket contains a number ofcomponents: client, server, address, time stamp, lifetime,key (c/s), and key (s). Kerberos is a published standardand is a true single sign-on technology--user logs in onceand gains access to all pre-authorized resources withoutrequiring a new or re-entered password. Kerberos is in usein many environments, namely North American collegesand universities. With Windows 2000 using Kerberos v5as its default network authentication protocol, Kerberosmay now become mainstream, albeit Microsoft's versionof mainstream.

For many, especially in the enterprise, the idea ofsingle sign-on is a network panacea. But given efforts bystandards groups (GSS-API and CDSA) and individualcompanies like Novell (NICI), Microsoft (SSPI andCryptoAPI), and Sun (Java 2), it appears it will be sometime before homogenous authentication will be a reality.

Authorization

Authorization is the granting of privileges associatedwith an authenticated user, device, or host. The traditionalway authorization is granted is exemplified by commonoperating systems like UNIX. A super-user is the all-powerful system owner or administrator. That individualhas the authority to grant privileges to other users. Theseprivileges can be “read,” “write,” “append,” “lock,”“execute,” and “save”-- individually or in combination.Less traditional although analogous are the privilegesgranted to network administrators--those that manage thenetwork infrastructure.

A network is comprised of many different devices--from host machines to application, file, web, DNS, andcommunication servers; from remote access servers tohubs and workgroup switches on the edge; and fromWAN-oriented routers to LAN- or ATM-oriented coreswitches and routers. There is a growing need to grantprivileges to these systems on a need-to-know basis.

In order to permit this, the network devices must beable to support a provisioned management structure. Theprivileges that can be granted can be broken down intodevices, services, and configuration parameters.

Device access security is analogous to tradition accesscontrol list or firewall rules. The security administratorcreates specific rules that limits access to the networkdevices based on characteristics of the device requestingaccess, for example, source and / or destination IP addressor source MAC address. This traditional access controlconcept keeps all of the authorization on the device itself.The provisioned management structure proposed here tieson-device authentication and authorization rules to anexternal directory server. Access is granted provided thepolicy allows for it.

For example, an IP source (host or network) attemptsto access an IP destination (host or network). The networkdevice recognizes a policy exists for this request--it has amatching rule. It queries the directory to determine whatto do with it. The appropriate policy is returned to thedevice and implemented accordingly. Besides thisimplicit application, the policy could also be associatedwith explicit information like time-of-day or -month.

Services-based access involves management protocolslike telnet, FTP, TFTP, HTTP, and SNMP. Much likewhat is listed above for device security, it may be prudentto allow certain users access only to specific servicesbased on pre-defined policies. An example of howprivileges can be allocated within a group ofadministrators is shown below.

Configuration parameters are the tasks administratorsare allowed to perform once they have been authenticatedand granted access to the device. Similar to what isdescribed above for service privileges, policy may existthat only allocates management privileges to certain

individuals based on job descriptions. For example,policy may dictate that only the super user and the twosecurity managers have the ability to add, remove, orchange user security profiles or privileges.

These configuration submenus or individual commandprivileges are allocated and stored in a common directory.These access accounts can contain both implicit andexplicit rules ranging from device identifiers, networkIDs, TCP or UDP ports, as well a configuration submenucommand (CLI) privileges.

There are significant reasons for this fine-grainedprovisioning profile model. Most network devices have acombination of read-only and read / write privileges. Inmany cases, especially on tightly controlled enterprisenetworks, this is adequate. But as networks become morecomplex and as autonomous systems begin to share thesame devices, there is a need to segment theadministrative privileges into groups. This is magnifiedwhen network provisioning and management is out-sourced.

Many organizations look to external resources forassistance at managing their network edges and access.Managed services are a multi-billion dollar (U.S.)business. Managed service providers are offering high-speed access to corporate Intranets, connecting commonbusiness partners via Extranet designs, or providing directconnection to the Internet to multiple tenants from asingle device.

In the case of multi-tenant network access, the serviceprovider may want to give each customer some basictroubleshooting capabilities, but for their subnetworkonly. One tenant should not be able to see anythingrelative to anyone else's network. In fact, they shouldhave no idea that other tenants are sharing the same localaccess device. In addition, the service provider may notwant to give its own employees free access to the device.For example, it may be proper to give most of theoperations team read-only, routing, and VLANconfiguration privileges. Other policy may only give theprivilege of changing QOS parameters to a fewindividuals.

t

support a central repository for these policies. Thenetwork devices must be able to access those policiesbased on some event or pre-provisioned rule. The networkcan then decide what to do with the event in question. Thedevice must also have the ability to enforce the policy.This policy deployment scenario is referred to as policy-based network management.

Policy Management

The power of this provisioned management structure ismagnified when authentication and authorization arecoupled with a centralized directory or policy server.Conceptually, when an administrator authenticates to thenetwork, he / she is granted the ability to access all of thedevices, services, and configuration parameters he / shehas be pre-authorized to access. Each time theadministrator attempts to access a network device, thatdevice will query the policy server. The policy server willsend an acknowledgement to the device grantingauthorizations for the requested service.

Policy-based network management leveragesdirectories, the central repositories for policies. This isdone for a very good reason. Instead of configuring eachdevice with specific privileges, the devices consult thecentral directory for this information. This simplifiesadministration--instead of changing authentication andauthorization information on dozens or hundreds ofdevices, it is done at a central location.

Policy-based management implementations, thatleverage directory and policy servers, are offered by manyvendors including Alcatel, Cisco, Lucent, and Nortel. Allshare a common design. They are all based on the conceptof a policy console, a policy server or repository, a policydecision point (PDP), and a policy enforcement point(PEP).

In order for authorization policies to be disseminatedo the network devices, the network must be able to

Policies can be recalled via some triggered event or itcan be provisioned. In the case of the former, an event canbe the arrival of a frame that the network device is unsurehow to treat. For example, an IP source or destinationaddress, MAC address, or IP multicast membershiprecord can be the trigger. If the network device has nocached policy for that event, it must query the PDP. ThePDP receives its policies from the directory server whichare configured and stored there by a policy administratorvia policy console downloads. The PDP informs thenetwork device--which is the PEP--to follow specificpolicy instructions. The PEP implements the policy forthat frame and related session flow.

These policy management architectures are either atwo-tiered or three-tiered design. A two-tiered methodcombines the PDP and PEP in the same network device.The three-tiered method has the PDP and PEP running inseparate devices. The protocols used to communicatepolicies will depend on the newness of the products. Forexample, in newer gear, a separate PDP communicates tothe PEP via the Common Open Policy Service (COPS)protocol. In an integrated PDP / PEP, the policy iscommunicated from the policy repository via LDAP. Inolder networking gear, the policy communication may beSNMP or CLI.

When the questions of availability and scalability areasked, the provisioned device management structureprovides a positive response. Depending on the valueplaced on the network and its availability, repositories andservers can be redundantly implemented. In addition,based on the number of devices that will be accessingpolicies and the volume of policy decisions that will needto be made, scalability can be designed into theimplementation.

An example of how a policy-based managementimplementation works is presented below. In thisscenario, the triggered event (#3) is an IP source address.The router has a rule (ACL) that states it must check with

the policy server (#4) in order to know how (or if) itshould be forwarded. The PDP compares the request withthe policy (obtained previously in #1 and #2). Once itknows this information, it informs the router how thepolicy should be enforced (#5). The traffic is thenforwarded based on the policy (#6).

The most effective manner this provisionedmanagement structure can operate in is when the policyserver, PDP and / or PEP, understand the concept of"state." State is best described as an awareness ofnetwork communications and the rules that are regulatingit. State tables contain information like who logged on,when, and which resources are being accessed. Fewpolicy or directory protocols understand the concept ofstate (COPS however does). For wide-scale usage,maintaining authentication and authorization state is apre-requisite.

Policy Security

Communications between the policy console, policyrepository, PDP and PEP must address security. It isbecoming unacceptable practice to communicate deviceconfiguration profiles and parameters across the networkin clear text. Adequate technology exists to allow thiscommunication to be secured.

Secure Socket Layer (SSL) and its cousin TransportLayer Security (TLS) are widely used transport protocolsthat, when couple with public-key cryptography, providea secure communications tunnel between clients andservers or between network devices. However, there is noassurance the user behind the client computer is anauthenticated user.

Simple Authentication and Security Layer (SASL) isa standards-based, general authentication mechanismwhich can be used by any connection-oriented protocol,like SNMP, LDAP, and S/KEY. Digest Authentication isalso a SASL mechanism used to secure HTTPcommunications, albeit less secure than others like SSL.

The best method for secure communications to / from /between the devices that make up the networkinfrastructure will be a fully-implemented Public KeyInfrastructure (PKI) based on X.509 authenticationfoundations and a standards-based family of encryptioncapabilities like RSA's PKCS. The issue with this modelis it relies too heavily on a single vendor, RSA. However,because the RSA protocols are platform independent andconsidered technically sound, their appeal is wide. Thereis plenty of activity by other vendors to attempt tostandardize PKI, without forcing vendors and the endusers to pay RSA fees.

Conclusion

How much security is enough? How much is notenough? This proposal about how one can use aprovisioned management structure for the networkinfrastructure is only useful to the organization thatunderstands the value of its network and the informationcontained therein. For many, this management model isoverkill. For others, it is well suited. Whatever the desire,organizations must understand the value of their networksand calculate the cost to the business if the network wereunavailable.

The result of this assessment should be a corporatesecurity policy document. This document will be the planthat a company will follow for all its security issues. Itwill clearly spell out the business values (strengths) andweaknesses (vulnerabilities). It will delineate what isimportant and what is not. From this, the corporatesecurity budget, procedures, technologies, actions, andawareness programs can be deployed. Hopefully,requiring secure access to the network infrastructure willbe part of the corporate information security agenda.

References

Enterprise Security, M. Kabay; 1996.The Burton Group; various Network Strategy Reports;

1999.