Authenticating Users

Chapter 6
Learning Objectives
Understand why authentication is a critical
aspect of network security
Describe why firewalls authenticate and
how they identify users
Describe user, client, and session
authentication
List advantages and disadvantages of
popular centralized authentication systems

continued
Learning Objectives

Be aware of potential weaknesses of

password security systems
Understand the use of password security
tools
Be familiar with common authentication
protocols used by firewalls
The Authentication Process in
General

The act of identifying users and providing

network services to them based on their
identity
Three forms
 Basic authentication
 Challenge-response authentication
 Centralized authentication service (often uses
two-factor authentication)
How Firewalls Implement the
Authentication Process
 Client makes request to access a resource
 Firewall intercepts the request and prompts the
user for name and password
 User submits information to firewall
 User is authenticated
 Request is checked against firewall’s rule base
 If request matches existing allow rule, user is
granted access
 User accesses desired resources
How Firewalls Implement the
Authentication Process
Types of Authentication with
Firewalls

User authentication
Client authentication
Session authentication
User Authentication

Basic authentication; user supplies

username and password to access
networked resources
Users who need to legitimately access your
internal servers must be added to your
Access Control Lists (ACLs)
User Authentication
Client Authentication

Same as user authentication but with

additional time limit or usage limit
restrictions
When configuring, set up one of two types
of authentication systems
 Standard sign-on system
 Specific sign-on system
Client Authentication
Session Authentication

Required any time the client establishes a

session with a server of other networked
resource
Comparison of Authentication
Methods
Centralized Authentication
Centralized server maintains all authorizations for
users regardless of where user is located and how
user connects to network
Most common methods
 Kerberos
 TACACS+ (Terminal Access Controller Access
Control System)
 RADIUS (Remote Authentication Dial-In User
Service)
Process of Centralized
Authentication
Kerberos Authentication
Provides authentication and encryption through
standard clients and servers
Uses a Key Distribution Center (KDC) to issue
tickets to those who want access to resources
Used internally on Windows 2000/XP
Advantages
 Passwords are not stored on the system
 Widely used in UNIX environment; enables
authentication across operating systems
Kerberos Authentication
TACACS+
Latest and strongest version of a set of
authentication protocols for dial-up access
(Cisco Systems)
Provides AAA services
 Authentication
 Authorization
 Auditing
Uses MD5 algorithm to encrypt data
RADIUS

Centralized dial-in authentication service

that uses UDP
Transmits authentication packets
unencrypted across the network
Provides lower level of security than
TACACS+ but more widely supported
TACACS+ and RADIUS
Compared

Strength of security
Filtering characteristics
Proxy characteristics
NAT characteristics
Strength of Security
Filtering Characteristics
Proxy Characteristics

RADIUS
 Doesn’t work with generic proxy systems, but a
RADIUS server can function as a proxy server
TACACS+
 Works with generic proxy systems
NAT Characteristics

RADIUS
 Doesn’t work with NAT
TACACS+
 Should work through NAT systems
Password Security Issues

Passwords that can be cracked (accessed by

an unauthorized user)
User error with passwords
Lax security habits
Passwords That Can Be Cracked
Ways to crack passwords
 Find a way to authenticate without knowing the
password
 Uncover password from system that holds it
 Guess the password
To avoid the issue
 Protect passwords effectively
 Observe security habits
User Error with Passwords
Built-in vulnerabilities
 Often easy to guess
 Often stored visibly
 Social engineering
To avoid the issues
 Choose complicated passwords
 Memorize passwords
 Never give passwords out to anyone
Lax Security Habits

To maintain some level of integrity, draw

up a formal Memorandum of Understanding
(MOU)
Password Security Tools

One-time password software

Shadow password system
One-Time Password Software
Password is generated using a secret key
Password is used only once, when the user
authenticates
Different passwords are used for each
authentication session
Types
 Challenge-response passwords
 Password list passwords
Shadow Password System

A feature of Linux that stores passwords in

another file that has restricted access
Passwords are stored only after being
encrypted by a randomly generated value
and an encoding formula
Other Authentication Systems

Single-password systems
One-time password systems
Certificate-based authentication
802.1x Wi-Fi authentication
Single-Password Systems

Operating system password

Internal firewall password
One-Time Password Systems

Single Key (S/Key)

SecurID
Axent Pathways Defender
Single Key (S/Key) Password
Authentication
Uses multiple-word rather than single word
passwords
 User specifies single-word password and the
number of times it is to be encrypted
 Password is processed by a hash function n
times; resulting encrypted passwords are stored
on the server
Never stores original password on the
server
SecurID Password Authentication

Uses two-factor authentication

 Physical object
 Piece of knowledge
Most frequently used one-time password
solution with FireWall-1
SecurID Tokens
Axent Pathways Defender
Password Authentication

Uses two-factor authentication and a

challenge-response system
Certificate-Based Authentication
FireWall-1 supports the use of digital certificates
to authenticate users
Organization sets up a Public Key Infrastructure
(PKI) that generates keys to users
 User receives a code (public key) that is generated
using the server’s private key and uses the public key to
send encrypted information to the server
 Server receives the public key and can decrypt the
information using its private key
802.1x Wi-Fi Authentication

Supports wireless Ethernet connections

Not supported by FireWall-1
802.1x protocol provides for authentication
of users on wireless networks
Wi-Fi uses Extensible Authentication
Protocol (EAP)
802.1x Wi-Fi Authentication
Chapter Summary
Overview of authentication and its importance to
network security
How and why firewalls perform authentication
services
Types of authentication performed by firewalls
 Client
 User
 Session

continued
Chapter Summary
Centralized authentication methods that firewalls
can use
 Kerberos
 TACACS+
 RADIUS
Password security issues and special password
security tools
Authentication protocols used by full-featured
enterprise-level firewalls