week 12 discussion
alokreddy
access_ppt15_l12.pptxAccess Control, Authentication, and Public Key Infrastructure
Lesson 12
Access Control Solutions for Remote Workers
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Implement a secure remote access solution.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Remote access solutions
Remote access protocols with their respective applications
Virtual private networks (VPNs), Secure Sockets Layer (SSL), and Citrix
Secure Web authentication examples
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Remote Access Methods
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPNs
Tokens
Browsers
Other Remote Access Methods
Remote Authentication Dial In User Service (RADIUS)
Network protocol providing communication between a network access server (NAS) and an authentication server
Terminal Access Controller Access Control System Plus (TACACS+)
Client/Server protocol developed to control who could use dial-up lines
Wi-Fi
Networking technology that allows computers and other devices to communicate over a wireless signal
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RADIUS Infrastructure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
EAP over RADIUS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Essentials
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Configurations
Spoke Sites
Hub Site
VPN Sites
VPN Sites
Hub and Spoke Configuration
Full Mesh Configuration
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Token-Based Solutions
Physical devices (something the person has) and may be part of a multifactor authentication scheme
Token types:
Universal serial bus (USB) token
Smart card
Password-generating token
Biometrics
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
USB Tokens:
Password required(second authentication factor) to gain access to the computer system
Hard to duplicate and tamper resistant
Ability to store digital certificates that can be used in a public key infrastructure (PKI) environment
Key Questions to Discuss:
Does second authentication factor assure complete security?
Even though USB devices are hard to duplicate and tamper resistant, what factors still allow sensitive information stored in USBs vulnerable?
Can you come up with more weaknesses or strengths of USBs???
Smart Cards—Advantages
Contains a microprocessor–enables storage and processing of data and use of more robust authentication schemes:
Valid recognition of smart card (first authentication factor)
Requirement of password (second authentication factor)
Smart Cards—Disadvantage Requires installation of a hardware reader and associated software drivers on the consumer’s home computer
Why is it a disadvantage? Let’s discuss!!!!
Password Generating Tokens
Unique pass-code, also known as a one-time password (OTP)—ensures that the same OTP is not used consecutively
User name and regular password (first authentication factor)
OTP generated by the token (second authentication factor)
What makes password generating tokens so secure ???
Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging.
Biometric Techniques and Identifiers
Fingerprint Recognition
Face Recognition
Voice Recognition
Keystroke Recognition
Handwriting Recognition
Finger and Hand Geometry
Retinal Scan
Iris Scan
Key Questions to Discuss for Biometrics
How can biometrics help financial institutions in replacing the use of Automated Teller Machine (ATM) cards?
Currently, some financial institutions, domestic and foreign, that use fingerprint recognition and other biometric technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing lost or stolen cards.
Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer.
Web Browsers
Today, Web browsers such as Internet Explorer, Mozilla Firefox, and Apple Safari (to name a few), are installed on almost all computers. Because Web browsers are used so frequently, it is vital to configure them securely.
Often, the Web browser that comes with an operating system is not set up in a secure default configuration.
Not securing your Web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.
Vulnerabilities
Ideally, computer users should evaluate the risks from the software they use. Many computers are sold with software already loaded. Unfortunately, it is not practical for most people to perform this level of analysis.
There is an increasing threat from software attacks that take advantage of vulnerable Web browsers.
We have observed a trend whereby new software vulnerabilities are exploited and directed at Web browsers through use of compromised or malicious Web sites.
This problem is made worse by a number of factors, including the following:
Many users have a tendency to click on links without considering the risks of their actions.
Web page addresses can be disguised or take you to an unexpected site.
Many Web browsers are configured to provide increased functionality at the cost of decreased security.
http://www.cert.org/tech_tips/securing_browser
Key Questions to Discuss
Are Web browsers secure?
What are the vulnerabilities of Web browsers?
Why do we need to secure the Web browsers?
How can Web browsers be made secure?
Reducing Risks in Web Browsers Force authentication(strong authentication preferred)
Configure browser for safe operation
Use remote access server (RAS) to validate access
Use secure protocols
Use host and network firewalls
Use antivirus (update it frequently)
Guard against malware
8/3/2014
11
DISCOVER: ROLES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Remote Access Management
Network administrator:
Installs, configures, and maintains hardware (servers) and software
Manages patch management process
Implements recommendations from vendor for operational effectiveness
Implements recommendations from information security to decrease vulnerabilities
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Remote Access Management (Continued)
Operations analyst:
Monitors systems for correct operation and availability
Reports and corrects abnormal operations and assures system stability
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Remote Access Management (Continued)
Information security officer:
Receives, monitors, and remediates security events and policy violations
Ensures compliance with established system configuration (hardening) standards
Performs vulnerability analysis and recommend corrective actions
Oversees external penetration tests
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: CONTEXTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RADIUS vs. TACACS+
| Attributes | RADIUS | TACACS+ |
| Transport Protocol | User Datagram Protocol (UDP) | Transmission Control Protocol/Internet Protocol (TCP/IP) |
| Encryption | Encrypts only password | Encrypts the entire body of the packet |
| Authentication, authorization, and accounting (AAA) | Not considered a pure AAA architecture | Pure AAA |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
User Types and Potential Access Methods
| Types of Users | Identification–Authentication–Authorization | |||||
| VPN | Token | Browser | RADIUS | TACACS+ | Wi-Fi | |
| Local user | X | X | X | |||
| Web customer | X | X | ||||
| Business-to-business (B2B) customer | X | X | X |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/3/2014
18
User Types and Potential Access Methods (Continued)
| Types of Users | Identification–Authentication–Authorization | |||||
| VPN | Token | Browser | RADIUS | TACACS+ | Wi-Fi | |
| Wireless user | X | X | X | X | ||
| Dial-in user | X | X | X | X | X | X |
| Remote user | X | X | X | X | X | X |
| Government (Scale) | X | X | X | X | X | X |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/3/2014
19
Remote Access Implementation Requirements
| Remote Access Method | Potential Requirements (Configurations may vary based on requirements) | |||||
| Software | Special Hardware | Secure Sockets Layer | RADIUS | TACACS+ | Wi-Fi | |
| VPN | X | Appliance or Routers | APs | |||
| Browser | X | Certificate | X | X | X | |
| Wi-Fi | X | Access Points (APs) | X | X | X |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/3/2014
20
SSL in E-commerce
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: RATIONALE
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Remote Access Solution
Designing and deploying a secure remote access solution is necessary to satisfy the following business objectives:
Satisfaction of customers and partners
Profit
Market presence
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Remote Access Solution (Continued)
Competition
Communication
Workforce
Virtual project management
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Concerns in Remote Access
Risk assessment
Authentication
Access control
Data protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Concerns in Remote Access (Continued)
Logging and reporting
Data classification
Least privilege and need to know
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Remote access methods
Remote access management
RADIUS versus TACACS+
Remote access implementation requirements
Security concerns in remote access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
