CIST 1601 Information Security Fundamentals
Chapter 5 Access Control and
JD. Willard MCSE, MCSA, Network+
Attention: Accessing Videos in this document.
are linked to Professor Messer on YouTube and
require nothing but a browser.
require that you be logged in to the Virtual Technical
College web site when you click on them to run.
To access and log in to the Virtual Technical Colleg
e web site:
To access the site type
in the url window
Log in using the username: ATCStudent1
Enter the password: student (case sensitive)
If you should click on the demo link and you get an Access Denied it i
you have not logged in to vtc.com or you need to log out and log back in.
Chapter 5 Access Control and
No matter what the network connection method, resource
interactions are always managed by access
Access Control Basics 177
Identification vs. Authentication
To access resources on a network, a user must prove who they are and that
they have permissions to
access the resources. This process consists of the following:
is the initial process of confirming the identity of a user requesting credentials and
occurs when a user types in a user ID to log on.
occurs during the identification
phase as the user proves that they are who they say they are in order to obtain credentials. If a
person has previously been identified, but cannot provide their assigned authentication
credentials (such as a lost password)
, then identity proofing is called upon again.
is the verification of the issued identification credentials. It is usually the second
step in the identification process, and establishes the user's identity, ensuring that users are who
ay they are.
Authentication is the process of validating user credentials that prove user identity. Authentication is
typically the first step in connecting to a network. Following successful authentication, access controls can
be implemented to allow or
deny access to network resources.
A simple form of authentication sends a username and password to an authentication server. If the
password is sent in clear text, the authentication credentials can be intercepted and used to impersonate
an authorized user
. One method of protecting logon credentials is by using a challenge/response
mechanism (also called a three
way handshake). Using this process:
Both the authentication server and the authenticator are configured with a common shared
secret. This shared se
cret is usually a password associated with a user account.
The authentication server sends a challenge string to the authenticator.
The authenticator uses the shared secret to hash the challenge string, and returns the user
account name and the hashed valu
e to the authentication server.
The authentication server uses its shared secret value to also hash the challenge string. If the two
hashed values match, the authentication server assumes that the authenticator also knows the
With the challe
nge/response method, the password is never sent through the network; only the hashed
challenge string is exchanged. Be aware that the hashed challenge string is
even an encrypted form
of the password.
The three ways a user can prove identity to an auth
entication server are:
Something you know
authentication requires you to provide a password or some other data
that you know. This is the weakest type of authentication. Examples of something you know
authentication controls are:
Passwords, codes, or IDs
Pass phrases (long, sentence
information such as questions that only the user can answer, including:
Your mother's maiden name
The model or color of your first car
city where you were born
Composition passwords, which are created by the system and are usually two or
more unrelated words divided by symbols on the keyboard
a form of Type 1 authentication. Usernames are often easy to
guess. Only the passwords or other information associated with the usernames
can be used to validate identity.
Something you have
authentication) is authentication based on
something a user has in their p
ossession. Examples of something you have authentication
(similar to credit cards) with authentication information stored on the
are very useful when combined with other forms of authentication, but are
high risk if they are the only form of required authentication. Photo IDs are easily
manipulated or reproduced, require personnel for verification, and cannot be verified
against a system.
contain a memory chip with encrypted authentication inf
Smart cards can:
Require contact such as swiping or they can be contactless.
Contain microprocessor chips with the ability to add, delete, and manipulate
data on it.
Can store digital signatures, cryptography keys, and identification codes.
private key for authentication to log a user into a network. The private
key will be used to digitally sign messages.
Be based on challenge
response. A user is given a code (the challenge)
which he or she enters into the smart card. The smart card then di
new code (the response) that the user can present to log in.
Types of token
based authentication are:
password, the password is saved on the token device. Swiping the
token supplies the password for authentication.
password generates new passwords at specific intervals
on the hardware token. Users must read the generated password and enter it along
with the PIN to gain access.
password generates new passwords based on an
event, such as
pressing a key.
password generates a random challenge string. The
challenge text is entered into the token, along with the PIN. The token then uses
both to generate a response used for authentication.
Smart cards typically use
certificates for identification and authentication. With certificates,
the digital document is associated with a user in one of the following ways:
mapping, each certificate maps to an individual user account
(each user has a unique certi
mapping, a certificate maps to many user accounts (a group of
users share the same certificate).
Digital certificates require the implementation of a PKI, which have high administrative
g you are
authentication uses a
. A biometric system attempts
to identify a person based on
or a mathematical representation of the subject's
biological attribute. This is the most expensive and least accepted, but is generally
idered to be the most secure form of authentication.
Common attributes used for biometric systems are:
Fingerprints (end point and bifurcation pattern)
Hand topology (side view) or geometry (top down view)
Palm scans (pattern, including fingerprints)
Retina scans (blood vein pattern)
Iris scans (color)
Facial scans (pattern)
Keyboard or keystroke dynamics (behavioral biometric systems)
Dwell time (key press time)
Flight time (how fingers move from key to key)
implementing a biometric system, the attribute that is used for authentication must
meet the following criteria:
means that all individuals possess the attribute.
means that the attribute is different for each individual.
means that the attribute always exists and will not change over time.
ensures that the attribute can be measured easily.
means that the attribute can be accurately and quickly collected.
allows for acceptable
substitutes for the attribute in case the original
attribute is missing or can't be read.
identifies the degree to which the technology is accepted by users
Biometric systems include multiple scans of the biological attribute.
Scans are then
translated into a numeric constellation map of critical points. That mathematical
representation is bound to a digital certificate that links to the subject's user account in the
user database. Most biometric systems require implementation
of a PKI system.
You should be aware of the following terms used to measure the effectiveness of authentication solutions:
(or Type I error) occurs when a person who should be allowed access is
access. The False Rejection Rate (FRR) is a measure of the probability that a false
negative will occur.
(or Type II error) occurs when a person who should be denied access is
allowed access. The False Acceptance Rate (FAR)
is a measure of the probability that a
false positive will occur. False positives are more serious than false negatives and
represent a security breach because unauthorized persons are allowed access.
crossover error rate
equal error rate
, is the point where the number
of false positives matches the number of false negatives in a biometric system. Select the
system with the lowest crossover error rate within your budget.
, or s
ystem throughput, identifies the number of subjects or
authentication attempts that can be validated. An acceptable rate is 10 subjects per minute
Authentication (Single Factor) and Authorization 178
To increase security, you can use a combination of authentica
tion methods as described in these options:
Uses credentials of
only one type, but
may require multiple
methods within the
To log in, you supply a username and a
username is not used for authentication,
so the only credential
supplied for authentication is the password)
To log in, you supply a username, PIN, and a pass phrase (all
credentials are of the same type)
Requires that both
with each other
To log in, your computer sends its digital certificate to prove its
identity to a network server. The server then proves its identity to
your computer before they will exchange messages.
Requires two (or
to be deployed.
To enter a secured building, you must insert your key card (Type
2) and undergo a retina scan (Type 3).
Requires two or more
can be of the same
To log on to an online banking system, you enter your username,
password, and then must answer a random personal question
(such as your birthplace or mother's maiden name).
If you are considering implementing biometrics,
keep in mind the following:
Some biometric factors are unique even between identical twins.
When a biometric is used by it
elf, it is no more secure than a strong password. A single
successful attack can subvert a biometric in much the same way that a sin
gle successful attack
can subvert a password.
Biometric attacks need not be physical harm based (such as cutting off a finger), but can include
a wide variety of realistic reproductions that fool the biometric reader device.
The most important consideratio
n for a biometric device is
When a biometric device has its sensitivity set too high, it will result in numerous false negative
rejections (i.e., when authorized users are not recognized and therefore rejected).
To use a biometric, new users must
go through a physical enrollment process that is more
complex and time consuming than the enrollment process for a password
only based system.
Biometric enrollment requires the new users to prove their identity to a user administrator. The
new user must t
hen provide the first example of their biometric to a reader device under the
supervision of the user administrator. This first example is digitized and stored as a reference
template. All future uses of the biometric will compare the contemporary biometri
c sample offered
to the historical recorded template.
Operational Security 180
issues include network access control (NAC), authentication, and security
topologies after the network installation is complete.
Whether or not your
server operating system can force the change of a password is considered
operational security issue because it is concerned with the ability of the operating system to perform a
One of the most effective ways to protect the network from malicious hosts is to use
network access control.
Network Access Control (NAC)
controls access to the network
by not allowing computers to access
network resources unless they meet certain
predefined security requirements.
The premise behind NAC is to secure the environment by
examining the user’s machine and, based on the results, grant access accordingly.
NAC requires a
(software to moni
tor the health of a machine) be
installed on each computer as part of the security requirements for computers
attempting to gain access.
Conditions that can be part of the connection requirements include requiring that
virus software w
date definition files.
An active personal firewall.
Specific operating system critical updates and patches.
A client that is determined by the NAC agent to be healthy is given access to the
An unhealthy client, who has not met all the ch
ecklist requirements, is either denied
access or can be given restricted access to a remediation network, where
remediation servers can be contacted to help the client to become compliant. For
eample, remediation servers might include anti
and definition files
that can be installed. If and when the unhealthy client's status changes to healthy,
the client is given access to the network.
NAC is often used with 802.1 as an authentication protocol for port
security. In addition to meeting
authentication requirements, the client must also
meet health requirements before access will be granted through 802.1.
The basic components of NAC products are:
The Access requestor (AR), which is the device that requests access
The policy decision
point (PDP), which is the system that assigns a policy
based on the assessment
The policy enforcement point (PEP), which is the device that enforces the
policy.This device may be a switch, firewall, or router.
The four ways NAC systems can be integrated i
nto the network are:
The business benefits
include compliance, a better security posture, and
operational cost management.
Microsoft's version of the NAC security tool is Network Access Protection (NAP).
Something You Have
Identification vs. Authentication
The Security Token system functions in this manner. If your token does not grant you access to certain
information, that information will either not be displayed or
your access will be denied.
Tokens are created when a user or system successfully authenticates. The token is destroyed when the
session is over.
Potential Authentication and Access Problems 181
is an established relationship between different dom
ains that allows mutual authentication,
communication, and access to resources between the domains. Trust details include the following:
The direction of trust is typically identified with an arrow.
is a unidirectional authentication path created between two domains.
For example, if Domain A trusts Domain B, the arrow would point from Domain A to
Domain B. Domain A is the
domain, and Domain B is the
is the sam
e as two one
way trusts in opposite directions. Both domains
that are involved in a trust relationship trust each other, meaning authentication requests
are passed between the two domains in both directions.
Resource access is granted opposite of the direc
tion of trust. For example, if Domain A trusts
Domain B, users in Domain B have access to resources in Domain A (remember that users in the
trusted domain have access to resources in the trusting domain).
defines whether trust between domains
flows or is inherited to other trusted domains.
allows the trust relationship to flow among domains.
, trust relationships must be explicit between domains.
By default, Active Directory creates two
ve trusts between parent and child domains in
the tree or forest. These are known as Active Directory trusts or Kerberos trusts.
attack involves threat agents acquiring more trust than they should by joining the
domain, and therefore have unauthorized access to resources.
attack exploits vulnerabilities in
client applications that interact with a malicious
server. A typical example of a client
side attack is a malicious web page targeting a specific
browser vulnerability that would give the malicious server complete control of the client system.
s an example of client
side scripting, where the client system runs the scripts that are
embedded in Web pages. When pages download, the scripts are executed.
Authentication Issues to Consider 182
Setting authentication security, especially in supporting users, can become a high
for network administrators.
On one hand, you want people to be able to authenticate themselves easily
On the other hand, you want to establish security
that protects your company’s resources.
Be wary of popular names or current trends that make certain passwords predictable.
is an organizational process that binds users to authentication methods.
Identification proofing is invoked
when a person claims they are the user, but cannot be authenticated
such as when they lose their password. They are typically asked to provide another value
mother’s maiden name
to prove their identity.
Under no circumstance should the person pro
ofing be allowed access immediately
instead their access information should be sent to their email account of record.
Identity proofing is the main component of authentication lifecycle management.
Authenticators for identity proofing include smart ca
rds, biometrics, and one
time password (OTP)
Understanding Remote Access Connectivity 184
Using the Point
Point Protocol 184
Point Protocol (PPP)
is used for dial
PPP provides no
and should never be used for VPN connections.
PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster
connections such as T1.
PPP using a single B channel on an ISDN connection. In the case of ISDN, PP
would normally use one 64Kbps B channel for transmission.
PPP does not provide data security, but it does provide authentication using
Challenge Handshake Authentication Protocol (CHAP). CHAP can be used to
demand authentication within an ong
oing data transmission.
offers multiple protocol support including AppleTalk, IPX, and DECnet, and is
widely used today as a transport protocol for dial
PPP is a protocol for communicating between two points using a serial interface,
rovides service at layer 2 of the OSI model. PPP can handle both synchronous and
up connection using PPP works well because it isn’t common for an attacker to
tap a phone line. You should make sure all your PPP connections
channels, dedicated connections, or dial
PPP over Ethernet (PPPoE) is used for connections that have an "always on" state,
such as DSL or fiber optic running Ethernet. PPPoE is a modification of PPP that
allows for negotiation o
f additional parameters that are typically not present on a
regular Ethernet network. ISPs typically implement PPPoE to control and monitor
Internet access over broadband links.
Working with Tunneling Protocols 185
allows a network to make a secure connection to another network through the Internet or
other network. Tunnels are usually secure and present themselves as extensions of both networks.
add a capability to the network:
The ability to
create tunnels between networks that can be more secure, support additional
protocols, and provide virtual paths between systems.
The most common protocols used for tunneling are as follows:
Point Tunneling Protocol (PPTP)
was one of the first VPN protocols and was developed by
PPTP supports encapsulation in a single point
point environment. PPTP encapsulates and
encrypts PPP packets. This makes PPTP a favorite low
end protocol for networks. The negotiation
etween the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the
channel is encrypted
Uses standard authentication protocols, such as Challenge Handshake Authentication Protocol
(CHAP) or Password Authentication
Supports TCP/IP only.
Encapsulates other LAN protocols and carries the data securely over an IP network.
Uses Microsoft's MPPE for data encryption.
Is supported by most operating systems and servers.
Uses TCP port 1723.
Layer 2 Forwarding
is a VPN technology developed by Cisco
as a method of creating tunnels
primarily for dial
L2F is similar in capability to PPP and should not be used over WANs.
L2F does provide authentication, but it does not provide encryption.
Operates at the Data Link layer (layer 2).
Offers mutual authentication.
Does not encrypt data.
Merged with PPTP to create L2TP.
Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one
Two Tunneling Protocol (L2TP)
L2TP is a hybrid of PPTP and L2F. L2TP is
primarily a point
is an open standard for secure multi
tunneling protocol that can be used between LANs.
L2TP isn’t secure, and you s
hould use IPSec with it to
provide data security.
Operates at the Data Link layer (layer 2).
Supports multiple protocols
and can be used in networks besides TCP/IP. L2TP works over IPX,
SNA, and IP
Uses IPSec for encryption. Combining L2TP with IPSe
c (called L2TP/IPSec) provides:
Per packet data origin authentication (non
Is not supported by older operating systems.
Uses TCP port 1701 and UDP port 500.
Secure Shell (SSH)
is a type of tunneling protocol that allows access to remote systems in a secure
SSH was originally designed for UNIX systems. SSH is a program that allows connections to be
secured by encrypting the session between the client and the server.
SSH also provides security equivalent programs such as Telnet, FTP, and many of the other
oriented programs under UNIX.
SSH transmits both authentication information and data securely during terminal connections with
UNIX computers. SSH uses
Internet Protocol Security (IPSec)
is not a tunneling protocol, but it
can be used to digitally sign
encrypt and encapsulate packets
, and can be used in conjunction with L2TP or by
itself as a VPN solution.
provides both authentication and encryption, and is regarded as one of the
strongest security standards.
IPSec includes two protocols that provide different features.
Authentication Header (AH)
provides authentication features. Use AH to enable authentica
When AH protocol is used, IPSec digitally signs packet headers
Encapsulating Security Payload (ESP)
provides data encryption. Use ESP to encrypt data.
If you use only AH, data is
IPSec has two modes of operation, base
d on the relationship of the communicating devices to each
is used for end
end encryption of data. The packet data is protected, but the
header is left intact
, allowing intermediary devices (such as routers) to
examine the packet header and use the information in routing packets.
Use transport mode for
communications within an autonomous LAN.
is used for link
link communications. Both the packet contents and the header
Two routers that require secure communications should use IPSec
in tunnel mode to encrypt packets.
IPSec can be used to secure communications such as:
host communications within a LAN.
VPN communications through the Internet, either by itself or i
n conjunction with the L2TP VPN
Any traffic supported by the IP protocol including Web, e
mail, Telnet, file transfer, and SNMP
traffic as well as countless others.
Be aware of the following additional characteristics of IPSec:
IPSec functions at
the Network layer (layer 3) of the OSI model.
IPSec uses either digital certificates or pre
IPSec generally can't be used when a NAT proxy is deployed.
Secure Sockets Layer (SSL)
protocol has long been used to secure traffic generated by
protocols such as HTTP, FTP, and e
mail. SSL can also be used as a VPN solution, typically in a remote
access scenario. SSL:
Authenticates the server to the client using public key cryptography and digital certificates.
Encrypts the entire commun
Uses port 443, a port that is often already opened in most firewalls.
Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.
Working with RADIUS 186
When implementing a
remote access server, the remote access server typically controls access for
remote access clients. Clients might be restricted to access only resources on the remote access server,
or might be allowed access to resources on other hosts on the private netw
Remote access policies identify allowed users and other required connection parameters.
In a small implementation, user accounts and remote access policies are defined on the remote
access server. With this configuration, if you have multiple remote a
ccess servers, you must
define user accounts and policies on each remote access server.
For larger deployments with multiple remote access servers, you can centralize the administration
of remote access policies by using an AAA server (authentication, auth
orization, and accounting
Connection requests from remote clients are received by the remote access server and
forwarded to the AAA server to be approved or denied.
Policies defined on the AAA server apply to all clients connected to all remote ac
Two common AAA server solutions include:
Remote Authentication Dial
In User Service (RADIUS)
is used by Microsoft servers
for centralized remote access administration.
provides centralized remote
user authentication, authorization, and accounting.
The centralized authentication,
authorization, and accounting features of RADIUS allow central
administration of all
aspects of remote login. The accounting features allow administrators to track usage
and network statistics by maintaining a central database.
Combines authentication and authorization using policies to grant access.
or the separation of accounting to different servers. However,
authentication and authorization remain combined on a single server.
Uses UDP ports 1812 and 1813.
Uses a challenge/response method for authentication. RADIUS encrypts only
the password using M
Often uses vendor
specific etensions. RADIUS solutions from different
vendors might not be compatible.
A RADIUS server communicating with an ISP to allow access to a remote user.
Notice that the remote server is functioning as a client to the RADIUS
This allows centralized administration of access rights.
When configuring a RADIUS solution, configure a server as a RADIUS
provide AAA services. Then configure all remote access servers as RADIUS
A RADIUS server acts as
either the authentication server or a proxy client that
forwards client requests to other authentication servers. The initial network access
server, which is usually a VPN server or dial
up server, acts as a RADIUS client by
forwarding the VPN or dial
lient’s request to the RADIUS server. RADIUS is the
protocol that carries the information between the VPN or dial
up client, the RADIUS
client, and the RADIUS server.
Control System Plus (TACACS+)
oriented environment, and it operates in a similar manner to RADIUS.
TACACS+ allows credentials to be accepted from multiple methods, including
was originally developed by
Cisco for centralized remote access
TACACS+ is used almost exclusively by Cisco.
Provides three protocols, one each for authentication, authorization, and
accounting. This allows each service to be provided by a different server.
Uses TCP port 49.
Encrypts the entire packet contents and not just authentication packets.
Supports more protocol suites than RADIUS.
TACACS and XTACACS are older protocols developed before TACACS+. While they
sound similar, they are different, less secure
Points to consider when comparing RADIUS vs. TACACS+ are:
TACACS+ and RADIUS have generally replaced earlier protocols in more recently built or
updated networks, although TACACS and XTACACS are still running on many older systems.
more interoperable because TACACS+ is Cisco proprietary.
RADIUS performs better due to less encryption, less overhead, and more compatibility with other
TACACS+ is considered more reliable than RADIUS because of TCP.
TACACS+ is more secure than RA
DIUS because RADIUS encrypts only the password;
TACACS+ encrypts the entire session between the client and server.
RADIUS is more secure than the original TACACS.
PPTP does not work with RADIUS and TACACS+; L2TP can be used with RADIUS and
lutions are vulnerable to buffer overflow attacks, birthday attacks, and packet sniffing.
virtual local area network
allows you to create groups of users and systems and segment
them on the network. This segmentation lets you hide segments of the network from other segments and
thereby control access.
VLANs enable you to unite network nodes logically into the sa
me broadcast domain regardless of their
physical attachment to the network. Networks can coexist on the same wiring and be unaware of each
VLANs allow administrators to segment or group users that have similar data sensitivity levels together
thereby increase security.
virtual LAN (VLAN)
is a logical grouping of computers based on switch port.
VLAN membership is configured by assigning a switch port to a VLAN.
A switch can have multiple VLANs configured on it, but each switch port can only be a
member of a single VLAN
(with one eception described below).
VLANs can be defined on a single switch, or configured on multiple interconnected
switches. With multiple switches, each switch can be configured with the same VLANs,
and devices on one switch can communicate with devi
ces on other switches as long as
they are on the same VLAN.
port is used to connect two switches together.
Typically, Gigabit Ethernet ports are used for trunk ports, although any port can
be a trunking port.
A trunk port is a member of all VLANs,
and carries traffic between the switches.
When trunking is used, frames that are sent over a trunk port are tagged by the
first switch with the VLAN ID so that the receiving switch knows to which VLAN
the frame belongs.
format that switches use for tagging
frames with the VLAN ID.
Because end devices do not understand the VLAN tags, the tag is removed
from the frame by the switch before the frame is forwarded to the destination
VLAN tagging is only used for frames
that travel between switches on the trunk
In a typical configuration with multiple VLANs and a single or multiple switches,
workstations in one VLAN will not be able to communicate with workstations in other
VLANs. To enable inter
n, you will need to use a router (or a Layer
Using VLANs, the switch can be used to create multiple IP broadcast domains. Each
VLAN is in its own broadcast domain, with broadcast traffic being sent only to members
of the same VLAN.
s with switches offers the following administrative benefits.
You can create virtual LANs based on criteria other than physical location (such
as workgroup, protocol, or service)
You can simplify device moves (devices are moved to new VLANs by modifying
e port assignment)
You can control broadcast traffic based on logical criteria (only devices in the
same VLAN receive broadcast traffic)
You can control security (isolate traffic within a VLAN)
When you use switches to create VLANs, you will still need rou
Route data in to and out of the local area network
Route data between VLANs
Apply firewall filtering rules to traffic
VLANs are commonly used with Voice over IP (VoIP) to distinguish voice traffic from
data traffic. Traffic on the voice VLAN can b
e given a higher priority to ensure timely
A typical segmented VLAN
Understanding Authentication Services 189
Lightweight Directory Access Protocol (LDAP)
is a lightweight protocol that allows users and
applications to read from and write to an LDAP
compliant directory service, such as Active Directory,
eDirectory, and OpenLDAP. The LDAP client must
(i.e. authenticate) to the directory service before
eading/writing to the database.
An LDAP directory is defined as a tree
like structure with entries, each of which consists of named
attributes with values. Services, such as repository and distribution of digital certificates, can be handled
by external s
ervers running the LDAP protocol.
The LDAP directory service follows a client/server model. One or more LDAP servers contain the
directory data, the LDAP client connects to an LDAP Server to make a directory service request.
Directory structure showing
unique identification of a user
In conjunction with Active Directory, LDAP uses four different name types:
Distinguished Name (DN)
exists for every object in AD. These values can’t be duplicates and
must be unique. This is the full path of the object, i
ncluding any containers.
Relative Distinguished Name (RDN)
doesn’t need to be a wholly unique value as long as there
are no duplicates within the organizational unit (OU). As such, an RDN is the portion of the name
that is unique within its container.
User Principal Name (UPN)
is often referred to as a friendly name. It consists of the user
account and the user’s domain name and is used to identify the user (think of an e
(CN) is the DN given in a top
LDAP supports the following authentication modes when binding to a directory service:
Only a username (no password) is required to authenticate
A username and password are required.
Normally, the username and
password are passed in clear tet.
LDAP uses ports
636 by default.
For unsecured sessions, LDAP uses port 389.
To protect simple authentication, port 636 is used for LDAP over
and Security Layer
is an extensible mechanism for protecting authentication.
Using SASL, you can use Kerberos, MD5, S/Key, IPSec, TLS, or many
other mechanisms for authentication.
is used for both authentication and authorization to services and is the default
d used by computers that are a part of an Active Directory domain.
(also called a security
) to authenticated users and to authorized
resources. The process of using tickets to validate permissions is called
Kerberos uses the following components:
A service server (SS) is a server that provides or holds network resources.
An authentication server (AS) accepts and processes authentication requests.
A ticket granting server (TGS) grants tickets that are
valid for specific resources on
A ticket granting ticket (TGT) is the entity issued by the authentication service (AS) on
the KDC to a principal. The TGT proves principal identity throughout the
The authentication server and ticket granting server are often combined into a single
entity known as the
Key Distribution Center (KDC)
The KDC is the most important
component in a Kerberos environment. It is responsible for managing all the secret
authenticating all users, and issuing tickets to valid users.
The KDC provides a
credential that can be used by all Kerberos
enabled servers and applications.
Principals are the entities to which the KDC provides services. They may be users,
Session keys are symmetric keys used to encrypt and decrypt information that passed
between the principals and KDC.
Keberos works as follows:
The client sends an authentication request to the authentication server.
The authentication server v
alidates the user identity and grants a ticket granting ticket
(TGT). The TGT validates the user identity and is good for a specific ticket granting
When the client needs to access a resource, it submits its TGT to the TGS. The TGS
validates that t
he user is allowed access, and issues a client
The client connects to the service server and submits the client
server ticket as proof
The SS accepts the ticket and allows access.
Ok, now in English.
process uses a Key Distribution Center (KDC) to orchestrate the entire
process. The KDC authenticates the principal. Principles can be users, programs, or systems.
The KDC provides a ticket to the network. Once this ticket is issued, it can be used to
enticate against other principles. This occurs automatically when a request or service is
performed by another principal.
Be aware of the following regarding Kerberos:
Kerberos uses symmetric key cryptography.
Tickets are valid during the entire session a
nd do not need to be re
providing single sign
Kerberos requires that all servers within the process have synchronized clocks to
Kerberos shares a different secret key with every entity on the network. Knowledge of
hat secret key equals proof of identity (this system is called the
Kerberos uses TCP port 88.
The KDC is a single point of failure.
Tickets are temporarily stored on the user's workstation and could be compromised.
Initial authentication is vulnera
ble to password guessing, the KDC cannot know if an
attack is in progress.
Network traffic is not protected by Kerberos.
When a user changes a password, it changes the secret key, thus the KDC database
needs to be updated.
Enterprise environments frequently implement a type of
authentication. SSO is a
distributed access method that allows a subject to log in
(sign on) once to a network and access all
authorized resources on the network.
on eliminates the need for multiple usernames and
The SSO system authenticates the subject against a master system and automatically logs the subject
to all servers the subject is authorized to access. Once authenticated, the subject can request access
to additional resources without additional login credentials or passwords. An SSO system is commonly
used in directory systems and some types of scripte
Microsoft Active Directory
use the principle of single sign
on to grant
users access for accessing resources.
Other technologies that provide single sign
on authentication are
security domains, directory services,
and thin clients.
In this instance, the database application, e
mail client, and printers all authenticate with the same
logon. Like Kerberos, this process requires all the applications that want to take advantage of AD
to accept AD controls and directi
ves. Access can be established through groups, and it can be
ced through group memberships.
Advantages of SSO include:
It is a more efficient logon process. Users only need to type their user ID and password once.
The user can create stronger passwor
ds because there aren't so many passwords to remember.
The need for multiple passwords and change synchronization is avoided.
Access to all authorized resources with a single instance of authentication through a single set of
timeout and attempt thresholds are applied closer to the user point of entry.
Improved effectiveness of disabling all network and computer accounts for terminated users
because of SSO's ability to add and delete accounts across the entire network from a ce
database and one user interface.
Disadvantages of SSO include:
Once a user's ID and password are compromised in the system, an intruder can access all of the
resources authorized for the user without constraint.
The system security policy must be
followed to ensure access is granted and/or limited to
Implementation with microcomputer systems is difficult and can prevent full implementation.
Ticket schemes do not scale very well.
SSO presents a single point of failure.
Understanding Access Control
is the process by which use of resources and services is granted or denied. When
implementing access control, one of several models can be used.
Mandatory Access Control 192
Access Control (MAC)
e strictest security mechanism.
model is usually implemented in highly secure networks, such as military facilities.
MAC model uses static relations. This is predefined access privileges to a
for both subjects (i.e., users
who need access)
and objects (i.e., resources with controlled access, such as data, applications,
networks, and physical space).
This access is typically established
by network administrators
and can’t be changed by users.
, such as
are assigned to objects by the owner (usually a managerial or governmental
are assigned to subjects.
When a subject's clearance lin
es up with an object's classification, and the
user has a need to know (referred to as a
), the user is granted
privilege that is not expressly permitted is forbidden. If a subject needs
access to an object, the administrator is the only
person who can determine if
access is allowed based on the security policy.
Access control is mandatory because access is based on policy (the matching
of the labels) rather than identity. Owners can only assign labels; they cannot
allow access to specific
users cannot share resources
Discretionary Access Control 192
Discretionary access control
assigns access directly to subjects based on
discretion (or decision) of the owner.
The DAC model uses Access Control Lists (ACLs
to map a user's access permissions to a resource.
An ACL is a security mechanism
used to designate those users who can gain various types of access, such as read,
te, and execute access, to resources on
network. An ACL provides security as
granular as the file level.
some flexibility in information
sharing capabilities within the network.
(directories and files)
have a discretionary
access control list (DACL)
with entries for each subject.
of an object or administrators
add subjects to the DACL and assign
rights or permissions. The permissions identify the actions the subject can
perform on the object.
With discretionary access
control, subjects can pass permissions on to other
Using a DAC model, object access can be limited to certain days and certain
times in the day.
In DAC, a subject’s rights should be suspended when he is on leave or
vacation and should be termina
ted when he leaves the company.
Many computer systems use discretionary access control to limit access to systems or
The access control model used in a small Microsoft
where users commonly
share folders with each other is DAC. In this model, the data owner is responsible for
granting other users access to resources. The data owner determines the level of
access that will be granted to other users.
Based Access C
Based Access Control (RBAC)
allows access based on a role in an
organization, not individual users.
RBAC allows specific people to be assigned to
specific roles with
specific privileges. A backup operator would need administrative
privileges to back up a server. This privilege would be limited to the role and wouldn’t
be present during the employee’s normal job functions.
Roles are defined by job description or securit
y access level.
Users are made members of a role and receive the permissions assigned to
Many systems offer a hybrid of DAC and RBAC. In some cases, the operating system
might use DAC, whereas applications such as SQL Server use roles to
access permission to data in tables and the database itself.
Based Access Control 193
based access control
uses characteristics of objects or subjects, along with
rules, to restrict access.
Access control entries identify a set of characteristics that will be examined for
If all characteristics match, access is either allowed or denied based on the
An example of a rule
based access control implementat
ion is a router access
control list that allows or denies traffic based on characteristics within the
packet (such as IP address or port number).
based access control does not consider the identity of the
subject, a system that uses rules can
be viewed as a form of mandatory
Implementing Access Control Best Practices 193
Smart Cards 193
is a type of badge or card that can be used for access control to multiple resources
including buildings, parking lots, and
computers. It contains information about your identity and access
privileges. Smart Cards increase the security of the authentication process because it must be in your
One type of smart card is the
Common Access Card (CAC)
ommon access card
smart card designed to be used for general identification, computer and network access, signing email,
and implementing PKI
These cards are issued by the Department of Defense as a general
ard for military personnel, contractors, and non
Smart cards are replacing magnetic cards, in many instances because they can store additional personal
information and are harder to copy or counterfeit. Smart Cards often also require the us
e of a small
password called a PIN; which further secures the smart card if lost by the true card holder.
Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, they have
all the access the card allows. To prev
ent this, many organizations don’t put any identifying marks on
their smart cards, making it harder for someone to utilize them. A password or PIN is required to activate
many modern smart cards, and encryption is employed to protect the contents.
The reader is connected to the workstation and validates against the security system.
The Smart Card Authentication Process
A whole system can become useless if the smart card is lost or stolen.
Access Control Lists 195
Access control lists
allow individual and highly controllable access to resources in a network. An
ACL can also be used to exclude a particular system, IP address, or user.
Routers and firewalls are your front line of defense against attacks being launched from outside
Access control list (ACL)
mechanisms are implemented in many routers, firewalls,
and other network devices.
You can configure and apply access control lists to the interfaces of
routers to filter out unauthorized
traffic. Through ACLs, you can design and change network security to counter specific security threats.
ACLs can be configured on router interfaces for inbound and outbound packets. ACLs deployed on a
router will improve
network security by confining sensitive internal data traffic to computers on a specific
An ACL can also be used to exclude a particular system, IP address, or user.
The following can be configured in an ACL
on router interfaces for inbound and o
Source and/or destination IP address
Source and/or destination protocol number
Source and/or destination port number
clause is implied at the end of each ACL, and it means that
t denies any traffic not
The most essential operational aspects of network device hardening involve ensuring that your network
devices run only necessary protocols, services, and access control lists.
Trusted OS 196
Trusted Operating System (TOS)
is an operating system that comes hardened and validated to a
specific security level as defined in the Common Criteria for Information Technology Security Evaluation
(CC). Many TOSs provide sufficient support for
, where multiple levels of classified
data reside within the same system, but does not permit users to access classified data at different
classification levels and all personnel have to have approval on a need
know basis to access
n the system.
Common Criteria has designed the evaluation criteria into seven EALs:
A user must be assured that the system will operate correctly, but threats to security are
not viewed as serious. The other EAL levels promote higher levels of security.
Developers use good design practices but security is not a high priority.
Developers provide moderate levels of security.
Security configuration is based on good commercial development. This level is the
baseline for most security in commercial systems
, including operating systems and products.
Requires at least
Microsoft Windows XP Professional, with Service Pack 2
Security is implemented starting in early design. It provides high levels of security
Specialized security engineering provides high levels of assurance. This level will be
highly secure from penetration attackers.
Extremely high levels of security are provided. This level requires extensive testing,
measurement, and independent testing.
Secure Router Configurati
To securely configure the router, you must do the following:
Change the Default Password
The password for the administrator is set before the router leaves the factory. Assume that
every miscreant knows the default router passwords.
the Advanced Settings
Vary by router manufacturer but often include settings to block ping requests, perform MAC
Keep the Firmware Upgraded
Router manufacturers often issue patches when problems are discovered.
Change the default manufacturer's username and password, and encrypt the new
password. Use a complex password to prevent using passwords that are easy to guess or
crack. Complex passwords require passwords of a certain length (typically over 8
and a mix of character types (numbers and symbols) along with requirements
that the passwords are not words, variations of words, or derivatives of the username.
On a Cisco device, use the Message
Digest 5 (MD5) hashing algorithm to encrypt the
Do not use the encrypted type 7 passwords, as they are not secure and can
be easily broken.
Use encrypted protocols when managing the device, including:
Secure Shell (SSH)
allows for secure interactive control of remote systems.
SSH uses RSA public key cryptography for both connection and
SSH is also a protocol that can be used to provide security services for
Secure Copy Protocol (SCP)
is a secure file copy protocol that use SSH for
TTP over SSL (HTTPS)
is a secure form of HTTP that uses SSL to encrypt
data before it is transmitted.
: Do not use Telnet or FTP/TFTP. These protocols send data in cleartext.
by keeping network devices in a locked room. If someone can
gain access to the physical device, they can easily bypass any configured passwords.
Passwords are useless if physical access is not controlled. Implement the following
physical security measure:
circuit television (CCTV)
Physical access logs
Physical access controls
If possible, store the router configuration file in encrypted form, and back up the file to a