Network access security methods
Unit objective Explain the methods of ensuring
network access security Explain methods of user
authentication
Network Access Control
Ensures that computers comply with security policies
Network Access Protection (NAP) Overall NAC architecture
IPSec protocols
Authentication Header (AH) Encapsulating Security Payload (ESP) IP Payload Compression Protocol
(IPComp) Internet Key Exchange (IKE)
PPPoE
Encapsulates PPP inside Ethernet frames
Allows users to establish a secure connection from one computer to another
Used to connect multiple users to the Internet through DSL and cable modem connections
SSH
Remote command-line access Server service and client program Native to Linux distributions SSH-2
– Transport layer– User Authentication layer– Connection layer
Single sign-on
User is authenticated to other resources based on strength of initial sign-on
SSL, LDAP Windows Live ID, Microsoft Passport,
Open ID
Kerberos
Current version is 5 Provides authentication on physically
insecure networks Freely available in U.S. and Canada Authenticates users over open multi-
platform network using single login
Kerberos system components
Principal Authentication server Ticket-granting server Key distribution center Realm Remote ticket-granting server
EAP
PPP extension Used in wireless connections Can use token cards, one-time
passwords, certificates, biometrics Runs over Data Link layers Defines formats
– LEAP– EAP-TLS– EAP-FAST
Mutual authentication
Client and server authenticate to each other
Also known as two-way authentication Trust other computer’s digital
certificate Can block rogue services
Cryptography
Science of encryption Encryption = convert to unreadable
format Decryption = convert back to readable
format Algorithm = procedure for encrypting
or decrypting Cipher = encryption & decryption
algorithm pair
Keys
Secret information used by cipher Symmetric = same key for encryption
and decryption Asymmetric = differing keys for
encryption and decryption Key sharing and management issues
Public key cryptography
Asymmetric Two keys
– What one encrypts, only the other can decrypt
– One kept private– One shared (public)
Encryption process Keys mathematically related
Public key cryptography
Mathematically difficult to derive private key from public key
Data encrypted with public key can be decrypted with only private key
Data encrypted with private key can be decrypted with only public key
Setup and initialization phase
Process components– Registration– Key pair generation– Certificate generation– Certificate dissemination
RADIUS
Remote Authentication Dial-in User Service
Client = network access server or device (e.g., wireless router)
Server = AAA service provider
RADIUS authentication
1. User connects to NAS
2. RADIUS client requests authentication from server
3. User supplies logon credentials
4. Client encrypts and forwards to server
5. Server authenticates, returns message
6. Client receives message and acts– Accept– Reject– Challenge
TACACS+ vs. RADIUS
TCP rather than UDP Message body fully encrypted AAA services provided independently Flexible
– Username/password, ARA, SLIP, PAP, CHAP, Telnet
Multiprotocol– TCP/IP, AppleTalk, NetBIOS Novell Asyc
Services Interface, X.25
802.1x
Authentication protocol Device access control Works with RADIUS and TACACS+ Device roles
– Supplicant (end-user device)– Authenticator– Authentication server