JD. Willard MCSE, MCSA, Network+

elbowshelmetΔίκτυα και Επικοινωνίες

30 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

88 εμφανίσεις

1


CIST 1601 Information Security Fundamentals

Chapter 5 Access Control and
Identity Management

Compiled By



JD. Willard MCSE, MCSA, Network+

Attention: Accessing Videos in this document.



Videos with
blue links

are linked to Professor Messer on YouTube and
require nothing but a browser.



Videos with
red links

require that you be logged in to the Virtual Technical
College web site when you click on them to run.



To access and log in to the Virtual Technical Colleg
e web site:



To access the site type
www
.vtc.com

in the url window



Log in using the username: ATCStudent1



Enter the password: student (case sensitive)

If you should click on the demo link and you get an Access Denied it i
s because
you have not logged in to vtc.com or you need to log out and log back in.


2


Chapter 5 Access Control and
Identity Management

175


No matter what the network connection method, resource
interactions are always managed by access
control mechanisms.


Access Control Basics 177

Identification vs. Authentication

177

To access resources on a network, a user must prove who they are and that
they have permissions to
access the resources. This process consists of the following:



Identification

is the initial process of confirming the identity of a user requesting credentials and
occurs when a user types in a user ID to log on.

Identity proofing

occurs during the identification
phase as the user proves that they are who they say they are in order to obtain credentials. If a
person has previously been identified, but cannot provide their assigned authentication
credentials (such as a lost password)
, then identity proofing is called upon again.



Authentication

is the verification of the issued identification credentials. It is usually the second
step in the identification process, and establishes the user's identity, ensuring that users are who
they s
ay they are.


Authentication is the process of validating user credentials that prove user identity. Authentication is
typically the first step in connecting to a network. Following successful authentication, access controls can
be implemented to allow or
deny access to network resources.

A simple form of authentication sends a username and password to an authentication server. If the
password is sent in clear text, the authentication credentials can be intercepted and used to impersonate
an authorized user
. One method of protecting logon credentials is by using a challenge/response
mechanism (also called a three
-
way handshake). Using this process:

1.

Both the authentication server and the authenticator are configured with a common shared
secret. This shared se
cret is usually a password associated with a user account.

2.

The authentication server sends a challenge string to the authenticator.

3.

The authenticator uses the shared secret to hash the challenge string, and returns the user
account name and the hashed valu
e to the authentication server.

4.

The authentication server uses its shared secret value to also hash the challenge string. If the two
hashed values match, the authentication server assumes that the authenticator also knows the
shared secret.

With the challe
nge/response method, the password is never sent through the network; only the hashed
challenge string is exchanged. Be aware that the hashed challenge string is

not

even an encrypted form
of the password.

The three ways a user can prove identity to an auth
entication server are:

Type

Description

Type 1

Something
you know

Something you know

authentication requires you to provide a password or some other data
that you know. This is the weakest type of authentication. Examples of something you know
authentication controls are:



Passwords, codes, or IDs



PINs



Pass phrases (long, sentence
-
length passwords)

3




Cognitive

information such as questions that only the user can answer, including:

o

Your mother's maiden name

o

The model or color of your first car

o

The
city where you were born



Composition passwords, which are created by the system and are usually two or
more unrelated words divided by symbols on the keyboard

Note:

Usernames are

not

a form of Type 1 authentication. Usernames are often easy to
discover or
guess. Only the passwords or other information associated with the usernames
can be used to validate identity.

Type 2

Something
you have

Something you have

(also called

token
-
based

authentication) is authentication based on
something a user has in their p
ossession. Examples of something you have authentication
controls are:



Swipe cards

(similar to credit cards) with authentication information stored on the
magnetic strip.



Photo IDs

are very useful when combined with other forms of authentication, but are
high risk if they are the only form of required authentication. Photo IDs are easily
manipulated or reproduced, require personnel for verification, and cannot be verified
against a system.



Smart cards

contain a memory chip with encrypted authentication inf
ormation.
Smart cards can:

o

Require contact such as swiping or they can be contactless.

o

Contain microprocessor chips with the ability to add, delete, and manipulate
data on it.

o

Can store digital signatures, cryptography keys, and identification codes.

o

Use a

private key for authentication to log a user into a network. The private
key will be used to digitally sign messages.

o

Be based on challenge
-
response. A user is given a code (the challenge)
which he or she enters into the smart card. The smart card then di
splays a
new code (the response) that the user can present to log in.



4


Types of token
-
based authentication are:



Using a

static

password, the password is saved on the token device. Swiping the
token supplies the password for authentication.



A

synchronous
dynamic

password generates new passwords at specific intervals
on the hardware token. Users must read the generated password and enter it along
with the PIN to gain access.



An

asynchronous dynamic

password generates new passwords based on an
event, such as

pressing a key.



A

challenge
-
response

password generates a random challenge string. The
challenge text is entered into the token, along with the PIN. The token then uses
both to generate a response used for authentication.

Smart cards typically use
certificates for identification and authentication. With certificates,
the digital document is associated with a user in one of the following ways:



With a

one
-
to
-
one

mapping, each certificate maps to an individual user account
(each user has a unique certi
ficate).



With

many
-
to
-
one

mapping, a certificate maps to many user accounts (a group of
users share the same certificate).

Digital certificates require the implementation of a PKI, which have high administrative
overhead.

Type 3

Something
you are

Somethin
g you are

authentication uses a

biometric system
. A biometric system attempts
to identify a person based on

metrics

or a mathematical representation of the subject's
biological attribute. This is the most expensive and least accepted, but is generally
cons
idered to be the most secure form of authentication.

Common attributes used for biometric systems are:



Fingerprints (end point and bifurcation pattern)



Hand topology (side view) or geometry (top down view)



Palm scans (pattern, including fingerprints)



Retina scans (blood vein pattern)



Iris scans (color)



Facial scans (pattern)



Voice recognition



Handwriting dynamics



Keyboard or keystroke dynamics (behavioral biometric systems)

o

Dwell time (key press time)

o

Flight time (how fingers move from key to key)

When

implementing a biometric system, the attribute that is used for authentication must
meet the following criteria:



Universality

means that all individuals possess the attribute.



Uniqueness

means that the attribute is different for each individual.



Permanenc
e

means that the attribute always exists and will not change over time.



Collectability

ensures that the attribute can be measured easily.



Performance

means that the attribute can be accurately and quickly collected.



Circumvention

allows for acceptable
substitutes for the attribute in case the original
attribute is missing or can't be read.

5




Acceptability

identifies the degree to which the technology is accepted by users
and management.

Biometric systems include multiple scans of the biological attribute.

Scans are then
translated into a numeric constellation map of critical points. That mathematical
representation is bound to a digital certificate that links to the subject's user account in the
user database. Most biometric systems require implementation
of a PKI system.

You should be aware of the following terms used to measure the effectiveness of authentication solutions:

Measure

Description

False
negative

A

false negative

(or Type I error) occurs when a person who should be allowed access is
denied
access. The False Rejection Rate (FRR) is a measure of the probability that a false
negative will occur.

False
positive

A

false positive

(or Type II error) occurs when a person who should be denied access is
allowed access. The False Acceptance Rate (FAR)

is a measure of the probability that a
false positive will occur. False positives are more serious than false negatives and
represent a security breach because unauthorized persons are allowed access.

Crossover
error rate

The

crossover error rate
, also
called the

equal error rate
, is the point where the number
of false positives matches the number of false negatives in a biometric system. Select the
system with the lowest crossover error rate within your budget.

Processing
rate

The

processing

rate
, or s
ystem throughput, identifies the number of subjects or
authentication attempts that can be validated. An acceptable rate is 10 subjects per minute
or above.




6


Authentication (Single Factor) and Authorization 178

Multifactor Authentication

178

To increase security, you can use a combination of authentica
tion methods as described in these options:

Authentication
Method

Description

Example

One
-
factor

(Single
-
factor)

Uses credentials of
only one type, but
may require multiple
methods within the
same
type

To log in, you supply a username and a
password

(the
username is not used for authentication,
so the only credential
supplied for authentication is the password)

To log in, you supply a username, PIN, and a pass phrase (all
credentials are of the same type)



Mutual

Requires that both
parties authenticate
with each other
before beginning
communications.

To log in, your computer sends its digital certificate to prove its
identity to a network server. The server then proves its identity to
your computer before they will exchange messages.

Two
-
factor

Three
-
factor

Multi
-
factor

Requires two (or
more) different
authentication types
to be deployed.

To enter a secured building, you must insert your key card (Type
2) and undergo a retina scan (Type 3).



Strong

Requires two or more
methods,
but they
can be of the same
type.

To log on to an online banking system, you enter your username,
password, and then must answer a random personal question
(such as your birthplace or mother's maiden name).


7


If you are considering implementing biometrics,

keep in mind the following:



Some biometric factors are unique even between identical twins.



When a biometric is used by it
s
elf, it is no more secure than a strong password. A single
successful attack can subvert a biometric in much the same way that a sin
gle successful attack
can subvert a password.



Biometric attacks need not be physical harm based (such as cutting off a finger), but can include
a wide variety of realistic reproductions that fool the biometric reader device.



The most important consideratio
n for a biometric device is

accuracy
.



When a biometric device has its sensitivity set too high, it will result in numerous false negative
rejections (i.e., when authorized users are not recognized and therefore rejected).



To use a biometric, new users must

go through a physical enrollment process that is more
complex and time consuming than the enrollment process for a password
-
only based system.



Biometric enrollment requires the new users to prove their identity to a user administrator. The
new user must t
hen provide the first example of their biometric to a reader device under the
supervision of the user administrator. This first example is digitized and stored as a reference
template. All future uses of the biometric will compare the contemporary biometri
c sample offered
to the historical recorded template.



8


Operational Security 180


Operational security

issues include network access control (NAC), authentication, and security
topologies after the network installation is complete.


Whether or not your
server operating system can force the change of a password is considered

an
operational security issue because it is concerned with the ability of the operating system to perform a
specified function.


Network
Access
Control
(NAC)

One of the most effective ways to protect the network from malicious hosts is to use
network access control.


Network Access Control (NAC)

controls access to the network
by not allowing computers to access
network resources unless they meet certain
predefined security requirements.

The premise behind NAC is to secure the environment by
examining the user’s machine and, based on the results, grant access accordingly.



NAC requires a
NAC

agent

(software to moni
tor the health of a machine) be
installed on each computer as part of the security requirements for computers
attempting to gain access.



Conditions that can be part of the connection requirements include requiring that
computers have:

o

Anti
-
virus software w
ith up
-
to
-
date definition files.

o

An active personal firewall.

o

Specific operating system critical updates and patches.



A client that is determined by the NAC agent to be healthy is given access to the
network.



An unhealthy client, who has not met all the ch
ecklist requirements, is either denied
access or can be given restricted access to a remediation network, where
remediation servers can be contacted to help the client to become compliant. For
eample, remediation servers might include anti
-
virus software
and definition files
that can be installed. If and when the unhealthy client's status changes to healthy,
the client is given access to the network.



NAC is often used with 802.1 as an authentication protocol for port
-
based
security. In addition to meeting

authentication requirements, the client must also
meet health requirements before access will be granted through 802.1.



The basic components of NAC products are:

o

The Access requestor (AR), which is the device that requests access

o

The policy decision
point (PDP), which is the system that assigns a policy
based on the assessment

o

The policy enforcement point (PEP), which is the device that enforces the
policy.This device may be a switch, firewall, or router.




The four ways NAC systems can be integrated i
nto the network are:

o

Inline

o

Out
-
of
-
band

o

Switch based

o

Host based


The business benefits
of NAC
include compliance, a better security posture, and
operational cost management.


Microsoft's version of the NAC security tool is Network Access Protection (NAP).




9


Tokens 180


See

Something You Have


under
Identification vs. Authentication

above.


The Security Token system functions in this manner. If your token does not grant you access to certain
information, that information will either not be displayed or
your access will be denied.

Tokens are created when a user or system successfully authenticates. The token is destroyed when the
session is over.


Potential Authentication and Access Problems 181

A

trust

is an established relationship between different dom
ains that allows mutual authentication,
communication, and access to resources between the domains. Trust details include the following:



The direction of trust is typically identified with an arrow.

o

A

one
-
way

trust

is a unidirectional authentication path created between two domains.
For example, if Domain A trusts Domain B, the arrow would point from Domain A to
Domain B. Domain A is the

trusting

domain, and Domain B is the

trusted

domain.

o

A

two
-
way

trust

is the sam
e as two one
-
way trusts in opposite directions. Both domains
that are involved in a trust relationship trust each other, meaning authentication requests
are passed between the two domains in both directions.



Resource access is granted opposite of the direc
tion of trust. For example, if Domain A trusts
Domain B, users in Domain B have access to resources in Domain A (remember that users in the
trusted domain have access to resources in the trusting domain).



Transitivity

defines whether trust between domains
flows or is inherited to other trusted domains.

o

A

transitive

trust

allows the trust relationship to flow among domains.

o

With a

non
-
transitive

trust
, trust relationships must be explicit between domains.



By default, Active Directory creates two
-
way transiti
ve trusts between parent and child domains in
the tree or forest. These are known as Active Directory trusts or Kerberos trusts.

A
transitive access

attack involves threat agents acquiring more trust than they should by joining the
domain, and therefore have unauthorized access to resources.

Client
-
side

A

client
-
side

attack exploits vulnerabilities in
client applications that interact with a malicious
server. A typical example of a client
-
side attack is a malicious web page targeting a specific
browser vulnerability that would give the malicious server complete control of the client system.
JavaScript i
s an example of client
-
side scripting, where the client system runs the scripts that are
embedded in Web pages. When pages download, the scripts are executed.


Authentication Issues to Consider 182


Setting authentication security, especially in supporting users, can become a high
-
maintenance activity
for network administrators.



On one hand, you want people to be able to authenticate themselves easily



On the other hand, you want to establish security

that protects your company’s resources.


Be wary of popular names or current trends that make certain passwords predictable.



Identity proofing

is an organizational process that binds users to authentication methods.

Identification proofing is invoked

when a person claims they are the user, but cannot be authenticated

such as when they lose their password. They are typically asked to provide another value

such as
mother’s maiden name


to prove their identity.

10


Under no circumstance should the person pro
ofing be allowed access immediately



instead their access information should be sent to their email account of record.

Identity proofing is the main component of authentication lifecycle management.



Authenticators for identity proofing include smart ca
rds, biometrics, and one
-
time password (OTP)
devices.


Understanding Remote Access Connectivity 184

Using the Point
-
to
-
Point Protocol 184


Point
-
to
-
Point
Protocol
(PPP)

The
Point
-
to
-
Point Protocol (PPP)

is used for dial
-
up connections.
PPP provides no
security,
and should never be used for VPN connections.

PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster
connections such as T1.


PPP using a single B channel on an ISDN connection. In the case of ISDN, PP
P
would normally use one 64Kbps B channel for transmission.


PPP does not provide data security, but it does provide authentication using
Challenge Handshake Authentication Protocol (CHAP). CHAP can be used to
provide on
-
demand authentication within an ong
oing data transmission.

PPP

offers multiple protocol support including AppleTalk, IPX, and DECnet, and is
widely used today as a transport protocol for dial
-
up connections.

PPP is a protocol for communicating between two points using a serial interface,
p
rovides service at layer 2 of the OSI model. PPP can handle both synchronous and
asynchronous connections.

A dial
-
up connection using PPP works well because it isn’t common for an attacker to
tap a phone line. You should make sure all your PPP connections

use secure
channels, dedicated connections, or dial
-
up connections.

PPP over Ethernet (PPPoE) is used for connections that have an "always on" state,
such as DSL or fiber optic running Ethernet. PPPoE is a modification of PPP that
allows for negotiation o
f additional parameters that are typically not present on a
regular Ethernet network. ISPs typically implement PPPoE to control and monitor
11


Internet access over broadband links.




Working with Tunneling Protocols 185


Tunneling

allows a network to make a secure connection to another network through the Internet or
other network. Tunnels are usually secure and present themselves as extensions of both networks.


Tunneling protocols

add a capability to the network:



The ability to
create tunnels between networks that can be more secure, support additional
protocols, and provide virtual paths between systems.


The most common protocols used for tunneling are as follows:

Point
-
to
-
Point Tunneling Protocol (PPTP)

was one of the first VPN protocols and was developed by
Microsoft
.

PPTP supports encapsulation in a single point
-
to
-
point environment. PPTP encapsulates and
encrypts PPP packets. This makes PPTP a favorite low
-
end protocol for networks. The negotiation
b
etween the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the
channel is encrypted
.
PPTP:



Uses standard authentication protocols, such as Challenge Handshake Authentication Protocol
(CHAP) or Password Authentication
Protocol (PAP).



Supports TCP/IP only.



Encapsulates other LAN protocols and carries the data securely over an IP network.



Uses Microsoft's MPPE for data encryption.



Is supported by most operating systems and servers.



Uses TCP port 1723.

Layer 2 Forwarding
(L2F)

is a VPN technology developed by Cisco

as a method of creating tunnels
primarily for dial
-
up connections.

L2F is similar in capability to PPP and should not be used over WANs.
L2F does provide authentication, but it does not provide encryption.

L2F
:



Operates at the Data Link layer (layer 2).

12




Offers mutual authentication.



Does not encrypt data.



Merged with PPTP to create L2TP.

Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one
protocol: the
Layer
Two Tunneling Protocol (L2TP)
.

L2TP is a hybrid of PPTP and L2F. L2TP is
primarily a point
-
to
-
point protocol.
L2TP

is an open standard for secure multi
-
protocol routing

and

is a
tunneling protocol that can be used between LANs.

L2TP isn’t secure, and you s
hould use IPSec with it to
provide data security.

L2TP:



Operates at the Data Link layer (layer 2).



Supports multiple protocols

and can be used in networks besides TCP/IP. L2TP works over IPX,
SNA, and IP
.



Uses IPSec for encryption. Combining L2TP with IPSe
c (called L2TP/IPSec) provides:

o

Per packet data origin authentication (non
-
repudiation)

o

Replay protection

o

Data confidentiality



Is not supported by older operating systems.



Uses TCP port 1701 and UDP port 500.

Secure Shell (SSH)

is a type of tunneling protocol that allows access to remote systems in a secure
manner.



SSH was originally designed for UNIX systems. SSH is a program that allows connections to be
secured by encrypting the session between the client and the server.



SSH also provides security equivalent programs such as Telnet, FTP, and many of the other
communications
-
oriented programs under UNIX.



SSH transmits both authentication information and data securely during terminal connections with
UNIX computers. SSH uses

port 22.


Internet Protocol Security (IPSec)

is not a tunneling protocol, but it
can be used to digitally sign
(
authentice)
headers
,

encrypt and encapsulate packets
, and can be used in conjunction with L2TP or by
itself as a VPN solution.
IPSec

provides both authentication and encryption, and is regarded as one of the
strongest security standards.
IPSec includes two protocols that provide different features.



Authentication Header (AH)

provides authentication features. Use AH to enable authentica
tion
with IPSec.

When AH protocol is used, IPSec digitally signs packet headers
.



Encapsulating Security Payload (ESP)

provides data encryption. Use ESP to encrypt data.

Note:

If you use only AH, data is

not

encrypted.

IPSec has two modes of operation, base
d on the relationship of the communicating devices to each
other:



Transport

mode

is used for end
-
to
-
end encryption of data. The packet data is protected, but the
header is left intact

(un
-
encapsulated)
, allowing intermediary devices (such as routers) to
examine the packet header and use the information in routing packets.

Use transport mode for
communications within an autonomous LAN.



Tunnel

mode

is used for link
-
to
-
link communications. Both the packet contents and the header
are encrypted

(encapsulated)
.

Two routers that require secure communications should use IPSec
in tunnel mode to encrypt packets.

13


IPSec can be used to secure communications such as:



Host
-
to
-
host communications within a LAN.



VPN communications through the Internet, either by itself or i
n conjunction with the L2TP VPN
protocol.



Any traffic supported by the IP protocol including Web, e
-
mail, Telnet, file transfer, and SNMP
traffic as well as countless others.

Be aware of the following additional characteristics of IPSec:



IPSec functions at

the Network layer (layer 3) of the OSI model.



IPSec uses either digital certificates or pre
-
shared keys.



IPSec generally can't be used when a NAT proxy is deployed.

The
Secure Sockets Layer (SSL)

protocol has long been used to secure traffic generated by

other IP
protocols such as HTTP, FTP, and e
-
mail. SSL can also be used as a VPN solution, typically in a remote
access scenario. SSL:



Authenticates the server to the client using public key cryptography and digital certificates.



Encrypts the entire commun
ication session.



Uses port 443, a port that is often already opened in most firewalls.

Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.




14


Working with RADIUS 186

TACACS/TACACS+/XTACACS 187

When implementing a
remote access server, the remote access server typically controls access for
remote access clients. Clients might be restricted to access only resources on the remote access server,
or might be allowed access to resources on other hosts on the private netw
ork.



Remote access policies identify allowed users and other required connection parameters.



In a small implementation, user accounts and remote access policies are defined on the remote
access server. With this configuration, if you have multiple remote a
ccess servers, you must
define user accounts and policies on each remote access server.



For larger deployments with multiple remote access servers, you can centralize the administration
of remote access policies by using an AAA server (authentication, auth
orization, and accounting
server).

o

Connection requests from remote clients are received by the remote access server and
forwarded to the AAA server to be approved or denied.

o

Policies defined on the AAA server apply to all clients connected to all remote ac
cess
servers.

Two common AAA server solutions include:

Solution

Description

Remote
Authentication
Dial
-
In User
Service
(RADIUS)

Remote Authentication Dial
-
In User Service (RADIUS)

is used by Microsoft servers
for centralized remote access administration.
RADIUS

provides centralized remote
user authentication, authorization, and accounting.

The centralized authentication,
authorization, and accounting features of RADIUS allow central

administration of all
aspects of remote login. The accounting features allow administrators to track usage
and network statistics by maintaining a central database.

RADIUS:



Combines authentication and authorization using policies to grant access.



Allows f
or the separation of accounting to different servers. However,
authentication and authorization remain combined on a single server.



Uses UDP ports 1812 and 1813.



Uses a challenge/response method for authentication. RADIUS encrypts only
the password using M
D5.



Often uses vendor
-
specific etensions. RADIUS solutions from different
vendors might not be compatible.


A RADIUS server communicating with an ISP to allow access to a remote user.
Notice that the remote server is functioning as a client to the RADIUS

server.
This allows centralized administration of access rights.


15


When configuring a RADIUS solution, configure a server as a RADIUS

server

to
provide AAA services. Then configure all remote access servers as RADIUS

clients
.


A RADIUS server acts as
either the authentication server or a proxy client that
forwards client requests to other authentication servers. The initial network access
server, which is usually a VPN server or dial
-
up server, acts as a RADIUS client by
forwarding the VPN or dial
-
up c
lient’s request to the RADIUS server. RADIUS is the
protocol that carries the information between the VPN or dial
-
up client, the RADIUS
client, and the RADIUS server.


Terminal Access
Controller
Access
-
Control
System Plus
(TACACS+)

Terminal Access
Controller Access
-
Control System Plus (TACACS+)

is a
client/server
-
oriented environment, and it operates in a similar manner to RADIUS.
TACACS+ allows credentials to be accepted from multiple methods, including
Kerberos.

TACACS+

was originally developed by

Cisco for centralized remote access
administration.
TACACS+ is used almost exclusively by Cisco.

TACACS+:



Provides three protocols, one each for authentication, authorization, and
accounting. This allows each service to be provided by a different server.



Uses TCP port 49.



Encrypts the entire packet contents and not just authentication packets.



Supports more protocol suites than RADIUS.

TACACS and XTACACS are older protocols developed before TACACS+. While they
sound similar, they are different, less secure

protocols.

Points to consider when comparing RADIUS vs. TACACS+ are:



TACACS+ and RADIUS have generally replaced earlier protocols in more recently built or
updated networks, although TACACS and XTACACS are still running on many older systems.



RADIUS is
more interoperable because TACACS+ is Cisco proprietary.



RADIUS performs better due to less encryption, less overhead, and more compatibility with other
systems.



TACACS+ is considered more reliable than RADIUS because of TCP.



TACACS+ is more secure than RA
DIUS because RADIUS encrypts only the password;
TACACS+ encrypts the entire session between the client and server.



RADIUS is more secure than the original TACACS.



PPTP does not work with RADIUS and TACACS+; L2TP can be used with RADIUS and
TACACS+.



Both so
lutions are vulnerable to buffer overflow attacks, birthday attacks, and packet sniffing.



16


VLAN Management

187


A
virtual local area network
(VLAN)

allows you to create groups of users and systems and segment
them on the network. This segmentation lets you hide segments of the network from other segments and
thereby control access.



VLANs enable you to unite network nodes logically into the sa
me broadcast domain regardless of their
physical attachment to the network. Networks can coexist on the same wiring and be unaware of each
other.


VLANs allow administrators to segment or group users that have similar data sensitivity levels together
and
thereby increase security.


Virtual
LAN
(VLAN)

A
virtual LAN (VLAN)

is a logical grouping of computers based on switch port.



VLAN membership is configured by assigning a switch port to a VLAN.



A switch can have multiple VLANs configured on it, but each switch port can only be a
member of a single VLAN
(with one eception described below).



VLANs can be defined on a single switch, or configured on multiple interconnected
switches. With multiple switches, each switch can be configured with the same VLANs,
and devices on one switch can communicate with devi
ces on other switches as long as
they are on the same VLAN.



A

trunk

port is used to connect two switches together.

o

Typically, Gigabit Ethernet ports are used for trunk ports, although any port can
be a trunking port.

o

A trunk port is a member of all VLANs,
and carries traffic between the switches.

o

When trunking is used, frames that are sent over a trunk port are tagged by the
first switch with the VLAN ID so that the receiving switch knows to which VLAN
the frame belongs.

o

The

trunking protocol

describes the
format that switches use for tagging
frames with the VLAN ID.

o

Because end devices do not understand the VLAN tags, the tag is removed
from the frame by the switch before the frame is forwarded to the destination
device.

o

VLAN tagging is only used for frames

that travel between switches on the trunk
ports.



In a typical configuration with multiple VLANs and a single or multiple switches,
workstations in one VLAN will not be able to communicate with workstations in other
VLANs. To enable inter
-
VLAN communicatio
n, you will need to use a router (or a Layer
3 switch).



Using VLANs, the switch can be used to create multiple IP broadcast domains. Each
VLAN is in its own broadcast domain, with broadcast traffic being sent only to members
of the same VLAN.



Creating VLAN
s with switches offers the following administrative benefits.

o

You can create virtual LANs based on criteria other than physical location (such
as workgroup, protocol, or service)

o

You can simplify device moves (devices are moved to new VLANs by modifying
th
e port assignment)

o

You can control broadcast traffic based on logical criteria (only devices in the
same VLAN receive broadcast traffic)

o

You can control security (isolate traffic within a VLAN)



When you use switches to create VLANs, you will still need rou
ters to:

o

Route data in to and out of the local area network

o

Route data between VLANs

17


o

Apply firewall filtering rules to traffic



VLANs are commonly used with Voice over IP (VoIP) to distinguish voice traffic from
data traffic. Traffic on the voice VLAN can b
e given a higher priority to ensure timely
delivery.


A typical segmented VLAN




18


Understanding Authentication Services 189


LDAP 189

The
Lightweight Directory Access Protocol (LDAP)

is a lightweight protocol that allows users and
applications to read from and write to an LDAP
-
compliant directory service, such as Active Directory,
eDirectory, and OpenLDAP. The LDAP client must

bind

(i.e. authenticate) to the directory service before
r
eading/writing to the database.


An LDAP directory is defined as a tree
-
like structure with entries, each of which consists of named
attributes with values. Services, such as repository and distribution of digital certificates, can be handled
by external s
ervers running the LDAP protocol.

The LDAP directory service follows a client/server model. One or more LDAP servers contain the
directory data, the LDAP client connects to an LDAP Server to make a directory service request.



Directory structure showing
unique identification of a user

In conjunction with Active Directory, LDAP uses four different name types:



A
Distinguished Name (DN)

exists for every object in AD. These values can’t be duplicates and
must be unique. This is the full path of the object, i
ncluding any containers.



A
Relative Distinguished Name (RDN)
doesn’t need to be a wholly unique value as long as there
are no duplicates within the organizational unit (OU). As such, an RDN is the portion of the name
that is unique within its container.



A
User Principal Name (UPN)
is often referred to as a friendly name. It consists of the user
account and the user’s domain name and is used to identify the user (think of an e
-
mail address).



The
Canonical Name
(CN) is the DN given in a top
-
down notation.

LDAP supports the following authentication modes when binding to a directory service:


Mode

Characteristics

Anonymous



Only a username (no password) is required to authenticate

Simple



A username and password are required.



Normally, the username and
password are passed in clear tet.



LDAP uses ports
(TCP)
389 and
(UDP)
636 by default.

19


o

For unsecured sessions, LDAP uses port 389.

o

To protect simple authentication, port 636 is used for LDAP over
SSL.

Simple Authentication
and Security Layer
(SASL)



SASL
is an extensible mechanism for protecting authentication.



Using SASL, you can use Kerberos, MD5, S/Key, IPSec, TLS, or many
other mechanisms for authentication.


Kerberos

189


Kerberos

Kerberos

is used for both authentication and authorization to services and is the default
authentication metho
d used by computers that are a part of an Active Directory domain.
Kerberos grants

tickets

(also called a security

token
) to authenticated users and to authorized
resources. The process of using tickets to validate permissions is called

delegated
authentic
ation
.

Kerberos uses the following components:



A service server (SS) is a server that provides or holds network resources.



An authentication server (AS) accepts and processes authentication requests.



A ticket granting server (TGS) grants tickets that are
valid for specific resources on
specific servers.



A ticket granting ticket (TGT) is the entity issued by the authentication service (AS) on
the KDC to a principal. The TGT proves principal identity throughout the
communication process.



The authentication server and ticket granting server are often combined into a single
entity known as the
Key Distribution Center (KDC)
.

The KDC is the most important
component in a Kerberos environment. It is responsible for managing all the secret
keys,
authenticating all users, and issuing tickets to valid users.
The KDC provides a
credential that can be used by all Kerberos
-
enabled servers and applications.



Principals are the entities to which the KDC provides services. They may be users,
applications,
or services.



Session keys are symmetric keys used to encrypt and decrypt information that passed
between the principals and KDC.


Keberos works as follows:



The client sends an authentication request to the authentication server.



The authentication server v
alidates the user identity and grants a ticket granting ticket
(TGT). The TGT validates the user identity and is good for a specific ticket granting
server.



When the client needs to access a resource, it submits its TGT to the TGS. The TGS
validates that t
he user is allowed access, and issues a client
-

-
server ticket.



The client connects to the service server and submits the client
-

-
server ticket as proof
of access.



The SS accepts the ticket and allows access.

20




Ok, now in English.

The authentication
process uses a Key Distribution Center (KDC) to orchestrate the entire
process. The KDC authenticates the principal. Principles can be users, programs, or systems.
The KDC provides a ticket to the network. Once this ticket is issued, it can be used to
auth
enticate against other principles. This occurs automatically when a request or service is
performed by another principal.


Be aware of the following regarding Kerberos:



Kerberos uses symmetric key cryptography.



Tickets are valid during the entire session a
nd do not need to be re
-
requested, thereby
providing single sign
-
on.



Kerberos requires that all servers within the process have synchronized clocks to
validate tickets.



Kerberos shares a different secret key with every entity on the network. Knowledge of
t
hat secret key equals proof of identity (this system is called the

realm
).



Kerberos uses TCP port 88.



The KDC is a single point of failure.



Tickets are temporarily stored on the user's workstation and could be compromised.



Initial authentication is vulnera
ble to password guessing, the KDC cannot know if an
attack is in progress.



Network traffic is not protected by Kerberos.



When a user changes a password, it changes the secret key, thus the KDC database
needs to be updated.




21


Single Sign
-
On

Initiatives 189

Enterprise environments frequently implement a type of
Single Sign
-
on (SSO)

authentication. SSO is a
distributed access method that allows a subject to log in
(sign on) once to a network and access all
authorized resources on the network.
Single sign
-
on eliminates the need for multiple usernames and
passwords.

The SSO system authenticates the subject against a master system and automatically logs the subject
on

to all servers the subject is authorized to access. Once authenticated, the subject can request access
to additional resources without additional login credentials or passwords. An SSO system is commonly
used in directory systems and some types of scripte
d access.

Microsoft Active Directory
,
Kerberos
, and
Novell eDirectory

use the principle of single sign
-
on to grant
users access for accessing resources.

Other technologies that provide single sign
-
on authentication are
security domains, directory services,

and thin clients.


In this instance, the database application, e
-
mail client, and printers all authenticate with the same
logon. Like Kerberos, this process requires all the applications that want to take advantage of AD
to accept AD controls and directi
ves. Access can be established through groups, and it can be
enfor
ced through group memberships.

Advantages of SSO include:



It is a more efficient logon process. Users only need to type their user ID and password once.



The user can create stronger passwor
ds because there aren't so many passwords to remember.



The need for multiple passwords and change synchronization is avoided.



Access to all authorized resources with a single instance of authentication through a single set of
user credentials.



Inactivity
timeout and attempt thresholds are applied closer to the user point of entry.



Improved effectiveness of disabling all network and computer accounts for terminated users
because of SSO's ability to add and delete accounts across the entire network from a ce
ntralized
database and one user interface.

Disadvantages of SSO include:



Once a user's ID and password are compromised in the system, an intruder can access all of the
resources authorized for the user without constraint.

22




The system security policy must be

followed to ensure access is granted and/or limited to
appropriate users.



Implementation with microcomputer systems is difficult and can prevent full implementation.



Ticket schemes do not scale very well.

SSO presents a single point of failure.


Understanding Access Control

191

Access control

is the process by which use of resources and services is granted or denied. When
implementing access control, one of several models can be used.

Mandatory Access Control 192


Access Control
Model

Characteristics

Mandatory
Access Control
(MAC)

Mandatory
Access Control (MAC)

provides th
e strictest security mechanism.
This
model is usually implemented in highly secure networks, such as military facilities.

The
MAC model uses static relations. This is predefined access privileges to a
resource.

MAC

uses
labe
ls

for both subjects (i.e., users
or groups
who need access)
and objects (i.e., resources with controlled access, such as data, applications,
systems,

printers,

networks, and physical space).

This access is typically established
by network administrators
and can’t be changed by users.



Classification labels
, such as
CONFIDENTIAL,
SECRET,
or
TOP

SECRET
,
are assigned to objects by the owner (usually a managerial or governmental
entity).



Clearance labels

are assigned to subjects.



When a subject's clearance lin
es up with an object's classification, and the
user has a need to know (referred to as a

category
), the user is granted
access.



A

privilege that is not expressly permitted is forbidden. If a subject needs
access to an object, the administrator is the only
person who can determine if
access is allowed based on the security policy.



Access control is mandatory because access is based on policy (the matching
of the labels) rather than identity. Owners can only assign labels; they cannot
allow access to specific

subjects
, therefor,
users cannot share resources
dynamically
.







23


Discretionary Access Control 192


Access Control
Model

Characteristics

Discretionary
Access Control
(DAC)

Discretionary access control

(DAC)

assigns access directly to subjects based on

the
discretion (or decision) of the owner.

The DAC model uses Access Control Lists (ACLs
to map a user's access permissions to a resource.

An ACL is a security mechanism
used to designate those users who can gain various types of access, such as read,
wri
te, and execute access, to resources on
the

network. An ACL provides security as
granular as the file level.

DAC allows
users
some flexibility in information
-
sharing capabilities within the network.



Objects
(directories and files)
have a discretionary
access control list (DACL)
with entries for each subject.



Owners
of an object or administrators
add subjects to the DACL and assign
rights or permissions. The permissions identify the actions the subject can
perform on the object.



With discretionary access

control, subjects can pass permissions on to other
subjects.



Using a DAC model, object access can be limited to certain days and certain
times in the day.



In DAC, a subject’s rights should be suspended when he is on leave or
vacation and should be termina
ted when he leaves the company.

Many computer systems use discretionary access control to limit access to systems or
other resources.

The access control model used in a small Microsoft
workgroup

where users commonly
share folders with each other is DAC. In this model, the data owner is responsible for
granting other users access to resources. The data owner determines the level of
access that will be granted to other users.



Role
-
Based Access C
ontrol 193


Access Control
Model

Characteristics

Role
-
Based
Access Control
(RBAC)

Role
-
Based Access Control (RBAC)

allows access based on a role in an
organization, not individual users.

RBAC allows specific people to be assigned to
specific roles with
specific privileges. A backup operator would need administrative
privileges to back up a server. This privilege would be limited to the role and wouldn’t
be present during the employee’s normal job functions.



Roles are defined by job description or securit
y access level.



Users are made members of a role and receive the permissions assigned to
the role.


Many systems offer a hybrid of DAC and RBAC. In some cases, the operating system
might use DAC, whereas applications such as SQL Server use roles to
determine
access permission to data in tables and the database itself.



24


Rule
-
Based Access Control 193


Access Control
Model

Characteristics

Rule
-
Based
Access Control

Rule
-
based access control

uses characteristics of objects or subjects, along with
rules, to restrict access.



Access control entries identify a set of characteristics that will be examined for
a match.



If all characteristics match, access is either allowed or denied based on the
rule.



An example of a rule
-
based access control implementat
ion is a router access
control list that allows or denies traffic based on characteristics within the
packet (such as IP address or port number).



Because rule
-
based access control does not consider the identity of the
subject, a system that uses rules can
be viewed as a form of mandatory
access control.


Implementing Access Control Best Practices 193


Smart Cards 193


A
smart card

is a type of badge or card that can be used for access control to multiple resources
including buildings, parking lots, and
computers. It contains information about your identity and access
privileges. Smart Cards increase the security of the authentication process because it must be in your
physical possession.


One type of smart card is the
Common Access Card (CAC)
.
A c
ommon access card
is a
specialized
smart card designed to be used for general identification, computer and network access, signing email,
and implementing PKI
.
These cards are issued by the Department of Defense as a general
identification/authentication c
ard for military personnel, contractors, and non
-
DoD employees.


Smart cards are replacing magnetic cards, in many instances because they can store additional personal
information and are harder to copy or counterfeit. Smart Cards often also require the us
e of a small
password called a PIN; which further secures the smart card if lost by the true card holder.


Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, they have
all the access the card allows. To prev
ent this, many organizations don’t put any identifying marks on
their smart cards, making it harder for someone to utilize them. A password or PIN is required to activate
many modern smart cards, and encryption is employed to protect the contents.













25


The reader is connected to the workstation and validates against the security system.



The Smart Card Authentication Process


A whole system can become useless if the smart card is lost or stolen.


Access Control Lists 195


Access control lists
(ACLs)
allow individual and highly controllable access to resources in a network. An
ACL can also be used to exclude a particular system, IP address, or user.


Routers and firewalls are your front line of defense against attacks being launched from outside

the
company network.
Access control list (ACL)

mechanisms are implemented in many routers, firewalls,
and other network devices.


You can configure and apply access control lists to the interfaces of
routers to filter out unauthorized
traffic. Through ACLs, you can design and change network security to counter specific security threats.

ACLs can be configured on router interfaces for inbound and outbound packets. ACLs deployed on a
router will improve
network security by confining sensitive internal data traffic to computers on a specific
subnet.


An ACL can also be used to exclude a particular system, IP address, or user.

The following can be configured in an ACL

on router interfaces for inbound and o
utbound packets
:



Source and/or destination IP address



Source and/or destination protocol number



Source and/or destination port number


An
implicit deny

clause is implied at the end of each ACL, and it means that
i
t denies any traffic not
specifically allow
ed
.


The most essential operational aspects of network device hardening involve ensuring that your network
devices run only necessary protocols, services, and access control lists.




26


Trusted OS 196

A
Trusted Operating System (TOS)

is an operating system that comes hardened and validated to a
specific security level as defined in the Common Criteria for Information Technology Security Evaluation
(CC). Many TOSs provide sufficient support for

multilevel
security
, where multiple levels of classified
data reside within the same system, but does not permit users to access classified data at different
classification levels and all personnel have to have approval on a need
-
to
-
know basis to access
information i
n the system.

Common Criteria has designed the evaluation criteria into seven EALs:

1.

EAL 1

-

A user must be assured that the system will operate correctly, but threats to security are
not viewed as serious. The other EAL levels promote higher levels of security.

2.

EAL 2

-

Developers use good design practices but security is not a high priority.

3.

EAL 3

-

Developers provide moderate levels of security.

4.

EAL 4

-

Security configuration is based on good commercial development. This level is the
baseline for most security in commercial systems
, including operating systems and products.

Requires at least
Microsoft Windows XP Professional, with Service Pack 2
.

5.

EAL 5

-

Security is implemented starting in early design. It provides high levels of security
assurance.

6.

EAL 6
-

Specialized security engineering provides high levels of assurance. This level will be
highly secure from penetration attackers.

7.

EAL 7

-

Extremely high levels of security are provided. This level requires extensive testing,
measurement, and independent testing.


Secure Router Configurati
on

197


To securely configure the router, you must do the following:



Change the Default Password


o

The password for the administrator is set before the router leaves the factory. Assume that
every miscreant knows the default router passwords.



Walk through
the Advanced Settings


o

Vary by router manufacturer but often include settings to block ping requests, perform MAC
filtering, etc.



Keep the Firmware Upgraded



o

Router manufacturers often issue patches when problems are discovered.

Security
Measure

Descript
ion

Secure
passwords

Change the default manufacturer's username and password, and encrypt the new
password. Use a complex password to prevent using passwords that are easy to guess or
crack. Complex passwords require passwords of a certain length (typically over 8
characters)
and a mix of character types (numbers and symbols) along with requirements
that the passwords are not words, variations of words, or derivatives of the username.

On a Cisco device, use the Message
-
Digest 5 (MD5) hashing algorithm to encrypt the
password.
Do not use the encrypted type 7 passwords, as they are not secure and can
be easily broken.

Secure
protocols

Use encrypted protocols when managing the device, including:



Secure Shell (SSH)

allows for secure interactive control of remote systems.

o

SSH uses RSA public key cryptography for both connection and
authentication.

o

SSH is also a protocol that can be used to provide security services for
27


other protocols.



Secure Copy Protocol (SCP)

is a secure file copy protocol that use SSH for
security.



H
TTP over SSL (HTTPS)

is a secure form of HTTP that uses SSL to encrypt
data before it is transmitted.

Note
: Do not use Telnet or FTP/TFTP. These protocols send data in cleartext.

Physical
security

Ensure
physical security

by keeping network devices in a locked room. If someone can
gain access to the physical device, they can easily bypass any configured passwords.
Passwords are useless if physical access is not controlled. Implement the following
physical security measure:




Perimeter barriers



Closed
-
circuit television (CCTV)



Doors



Door locks



Physical access logs



Physical access controls

Secure
configuration
file

If possible, store the router configuration file in encrypted form, and back up the file to a
secure
location.