Writing Assignment #3

Jackie Channn

conklin_principlesofcomputersecurity_5e_Chap011_PPT.pptx

Home >Computer Science homework help >Writing Assignment #3

Authentication and Remote Access

Chapter 11

Principles of Computer Security, Fifth Edition

Objectives (1 of 2)

Identify the differences among user, group, and role management.

Implement password and domain password policies.

Describe methods of account management (SSO, time of day, logical token, account expiration).

Describe methods of access management (MAC, DAC, and RBAC).

Discuss the methods and protocols for remote access to networks.

Principles of Computer Security, Fifth Edition

Objectives (2 of 2)

Identify authentication, authorization, and accounting (AAA) protocols.

Explain authentication methods and the security implications in their use.

Implement virtual private networks (VPNs) and their security aspects.

Principles of Computer Security, Fifth Edition

Key Terms (1 of 9)

AAA

Access control

Access control list (ACL)

Access control matrix

Accounting

Account expiration

Account maintenance

Account recertification

Administrator

Attribute-based access control (ABAC)

Authentication

Authentication server (AS)

Authorization

Basic authentication

Biometric factors

Principles of Computer Security, Fifth Edition

AAA – Acronym for authentication, authorization, and accounting (AAA). They are three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.

Access control – Mechanism or method used to determine what access permissions subjects (such as users) have for specific objects (such as files).

Access control list (ACL) – A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute).

Access control matrix – A matrix that provides the simplest framework for illustrating a process.

Accounting – The collection of billing and other detail records.

Account expiration – The setting of an ending time for an account’s validity.

Account maintenance – The routine screening of all tributes for an account.

Account recertifcation – The process of recertifying an account periodically. The process of recertifcation ensures that only users needing accounts have accounts in the system.

Administrator – A superuser account under the Windows operating system.

Attribute-based access control (ABAC) – An access control model built around a set of rules built upon specific attributes.

Authentication – The process by which a subject’s (such as a user’s) identity is verified.

Authentication server (AS) – A server used to perform authentication tasks.

Authorization – The function of determining what is permitted for an authorized user.

Basic authentication – The simplest technique used to manage access control across HTTP. Basic authentication operates by passing information encoded in Base64 form using standard HTTP headers. This is a plaintext method without any pretense of security.

Biometric factors – The measurements of certain biological features to identify one specific person from other people. These factors are based on parts of the human body that are unique. The most well-known of these unique biological factors is the fingerprint.

Key Terms (2 of 9)

Certificate

Challenge-Handshake Authentication Protocol (CHAP)

Client-to-server ticket

Common Access Card (CAC)

Credential Management

Crossover error rate

Digest authentication

Digital certificate

Directory

Discretionary access control (DAC)

Domain controller

Domain password policy

Principles of Computer Security, Fifth Edition

Certificate – A method of establishing authenticity of specific objects such as an individual’s public key or downloaded software.

Challenge-Handshake Authentication Protocol (CHAP) – A protocol used to provide authentication across a point-to-point link using PPP. In this protocol, authentication after the link has been established is not mandatory.

Client-to-server ticket – The second ticket used in the Kerberos environment that is used to gain access to a server’s service in the realm. The user presents a request and a client-to-server ticket to the desired service and if the client-to-server ticket is valid, service is granted to the client. Also called a service ticket.

Common Access Card (CAC) – A smart card identification used by the U.S. Department of Defense (DoD) for active duty military, selected reserve personnel, DoD civilians, and eligible contractors. It is used for carrying the credential data, in the form of a certificate, for the cardholder used to determine access to Federal facilities and information systems.

Credential management – Refers to the processes, services, and software used to store, manage, and log the use of user credentials. Credential management solutions are typically aimed at assisting end users manage their growing set of passwords.

Crossover error rate – The rate where both accept and reject error rates are equal. This is the desired state for most efficient operation, and it can be managed by manipulating the threshold value used for matching. Also known as the equal error rate (EER),

Digest authentication – A method used to negotiate credentials across the Web. Digest authentication uses hash functions and a nonce to improve security over basic authentication.

Digital certificate – A digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from.

Directory – A data storage mechanism similar to a database, but it has several distinct differences designed to provide efficient data-retrieval services compared to standard database mechanisms. A directory is designed and optimized for reading data, offering very fast search and retrieval operations.

Discretionary access control (DAC) – An access control mechanism in which the owner of an object (such as a file) can decide which other subjects (such as other users) may have access to the object, and what access (read, write, execute) these objects can have.

Domain controller – A computer that responds to security authentication requests, such as logging into a computer, for a Windows domain.

Domain password policy – A password policy for a specific domain.

Key Terms (3 of 9)

eXtensible Access Control Markup Language (XACML)

Extensible Authentication Protocol (EAP)

False acceptance rate

False negative

False positive

False rejection rate

Federated identity management

FTPS

Generic accounts

Group

Group policy object (GPO)

Principles of Computer Security, Fifth Edition

eXtensible Access Control Markup Language (XACML) – An open standard XML-based language used to describe access control.

Extensible Authentication Protocol (EAP) – A universal authentication framework defined by RFC 3748 that is frequently used in wireless networks and point-to-point connections. Although EAP is not limited to wireless and can be used for wired authentication, it is most often used in wireless LANs.

False acceptance rate (FAR) – A measurement of the level of false positives are going to be allowed in the system. Expressed as probabilities, the false acceptance rate is the probability that the system incorrectly identifies a match between the biometric input and the stored template value. The FAR is calculated by counting the number of unauthorized accesses granted, divided by the total number of access attempts.

False negative – An instance when the system denies access to someone who is actually authorized.

False positive – An instance where you receive a positive result for a test, when you should have received a negative result. Thus, a false positive result occurs when a biometric is scanned and allows access to someone who is not authorized.

False rejection rate (FRR) – A measurement of what level of false negatives, or rejections, are going to be allowed in the system. If an authorized user is rejected by the system, this is a false rejection.

Federated identity management – An agreement between multiple enterprises that lets parties use the same identification data to obtain access to the networks of all enterprises in the group. This federation enables access to be managed across multiple systems in common trust levels.

FTPS – The use of FTP over an SSL/TLS secured channel.

Generic accounts – Accounts without a named user behind them. These can be employed for special purposes, such as running services and batch processes, but because they cannot be attributed to an individual, they should not have login capability.

Group – A collection of users with some common criteria, such as a need for access to a particular dataset or group of applications.

Group policy object (GPO) – Stores the group policy settings in a Microsoft Active Directory environment.

Key Terms (4 of 9)

Guest accounts

HMAC-based One-Time Password (HOTP)

Identification

IEEE 802.1X

Kerberos

Key distribution center (KDC)

Layer 2 Tunneling Protocol (L2TP)

Lightweight Directory Access Protocol (LDAP)

Mandatory access control (MAC)

Multifactor identification

Mutual authentication

Principles of Computer Security, Fifth Edition

Guest accounts – Frequently used on corporate networks to provide visitors’ access to the Internet and to some common corporate resources, such as projectors, printers in conference rooms, and so on. Again, these types of accounts are restricted in their network capability to a defined set of machines, with a defined set of access, much like a user from the Internet visiting their publically facing web site.

HMAC-based One-Time Password (HOTP) – An algorithm that can be used to authenticate a user in a system by using an authentication server. (HMAC stands for Hash-based Message Authentication Code.)

Identification – The process of determining identity as part of identity management and access control. Usually performed only once, when the user ID is assigned.

IEEE 802.1X – An authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router.

Kerberos – A network authentication protocol designed by MIT for use in client/server environments.

Key distribution center (KDC) – A portion of the Kerberos authentication system.

Layer 2 Tunneling Protocol (L2TP) – A Cisco switching protocol that operates at the data link layer.

Lightweight Directory Access Protocol (LDAP) – An offshoot of the Directory Access Protocol (DAP) that offers all of the functionality most directories need and is easier and more economical to implement. It is the protocol that is commonly used to handle user authentication/authorization as well as control access to Active Directory objects.

Mandatory access control (MAC) – An access control mechanism in which the security mechanism controls access to all objects (files), and individual subjects (processes or users) cannot change that access.

Multifactor authentication – Simply the combination of two or more types of authentication. Also known as multiple-factor authentication.

Mutual authentication – Describes a process in which each side of an electronic communication verifies the authenticity of the other.

Key Terms (5 of 9)

OAuth (Open Authorization)

Offboarding

Onboarding

OpenID

OpenID Connect

Password Authentication Protocol (PAP)

Permissions

Personal identity verification (PIC)

Point-to-point protocol (PPP)

Point-to-Point Tunneling Protocol (PPTP)

Privilege management

Principles of Computer Security, Fifth Edition

OAuth (Open Authorization) – An open protocol that allows secure token based authentication and authorization in a simple and standard method from web, mobile, and desktop applications, for authorization on the Internet.

Offboarding – Involves the bringing of personnel onto a project or team. During onboarding, proper account relationships need to be managed. New members can be put into the correct groups.

Onboarding – Involves the taking personnel off a project or team. When people are offboarded, they can be removed from the groups they were added to when brought onto the project.

OpenID – OpenID is about proving who you are, the first step in the Authentication-Authorization ladder used for authentication. OpenID was created for federated authentication that lets a third party authenticate your users for you, by using accounts the users already have.

OpenID connect – A simple identity layer on top of the OAuth 2.0 protocol. OpenID Connect allows clients of all types (mobile, JavaScript, and web based clients) to request and receive information about authenticated sessions and end users.

Password Authentication Protocol (PAP) – A protocol that involves a two-way handshake in which the username and password are sent across the link in cleartext. PAP authentication does not provide any protection against playback and line sniffing. PAP is now a deprecated standard.

Permissions – Authorized actions a subject can perform on an object. See also access controls.

Personal identity verification (PIV) – A U.S. government smart card that contains the credential data for the cardholder used to determine access to federal facilities and information systems.

Point-to-Point Protocol (PPP) – An older, still widely used protocol for establishing dial-in connections over serial lines or Integrated Services Digital Network (ISDN) services. PPP has several authentication mechanisms, including PAP, CHAP, and the Extensible Authentication Protocol (EAP).

Point-to-Point Tunneling Protocol (PPTP) – The use of generic routing encapsulation over PPP to create a methodology used for virtual private networking.

Privilege management – The process of restricting a user’s ability to interact with the computer system.

Key Terms (6 of 9)

Privileged accounts

Privileges

Remote access server (RAS)

Remote Authentication Dial-In User Service (RADIUS)

Remote Desktop Protocol (RDP)

Rights

Role

Role-based access control (RBAC)

Root

Rule-based access control

Principles of Computer Security, Fifth Edition

Privileged accounts – Any accounts with greater than normal user access. Privileged accounts are typically root or admin-level accounts and represent risk in that they are unlimited in their powers.

Privileges – Term meaning that you have the ability to “do something” on a computer system such as create a directory, delete a file, or run a program.

Remote access server (RAS) – A combination of hardware and software used to enable remote access to a network.

Remote Authentication Dial-In User Service (RADIUS) – An AAA protocol designed as a connectionless protocol that uses the User Datagram Protocol (UDP) as its transport layer protocol. Connection type issues, such as timeouts, are handled by the RADIUS application instead of the transport layer. RADIUS utilizes UDP port 1812 for authentication and authorization and UDP port 1813 for accounting functions.

Remote Desktop Protocol (RDP) – A proprietary Microsoft protocol designed to provide a graphical connection to another computer.

Rights – These define the actions a user can perform on the system itself, such as change the time, adjust auditing levels, and so on. Rights are typically applied to operating system–level tasks.

Role – Term used to describe a person’s job or function within the organization.

Role-based access control (RBAC) – An access control mechanism in which, instead of the users being assigned specific access permissions for the objects associated with the computer system or network, a set of roles that the user may perform is assigned to each user.

Root – An account under Unix that is reserved for special functions and typically have much more access and control over the computer system than the average user account.

Rule-based access control – An access control mechanism based on rules.

Key Terms (7 of 9)

Security Assertion Markup Language (SAML)

Secure token

Service accounts

SFTP

Single sign-on (SSO)

Shared accounts

Shibboleth

Smart card

Software tokens

Something you are

Something you do

Something you have

Something you know

Somewhere you are

Principles of Computer Security, Fifth Edition

Security Assertion Markup Language (SAML) – A single sign-on capability used for web applications to ensure user identities can be shared and are protected.

Secure token – A service that is responsible for issuing, validating, renewing, and cancelling these security tokens.

Service accounts – Accounts that are used to run processes that do not require human intervention to start/stop/administer.

SFTP – SFTP refers to running FTP over SSH, as later versions of SSH allow securing of channels such as the FTP control channel. SFTP is also referred to as Secure FTP.

Single sign-on (SSO) – An authentication process by which the user can enter a single user ID and password and then move from application to application or resource to resource without having to supply further authentication information.

Shared accounts – Go against the specific treatise that accounts exist so that user activity can be tracked. They exist only to provide a specific set of functionality, like in a PC running in kiosk mode, with a browser limited to specific sites as an information display. Sometimes the shared accounts are called generic accounts.

Shibboleth – A service designed to enable single sign-on and federated identity-based authentication and authorization across networks.

Smart card – A card that can increase physical security because they can carry cryptographic tokens that are too long to remember and have too large a space to guess.

Software tokens – An access tokens that is implemented in software.

Something you are – A one of the categories of authentication factors. It specifically refers to biometrics, as the “you are” indicates. One of the challenges with something-you-are artifacts is they are typically hard to change, so once assigned they become immutable. Another challenge with biometrics involves the issues associated with measuring things on a person.

Something you do – Another one of the categories of authentication factors. It specifically refers to activities, as the “you do” indicates. An example of this is a signature, because the movement of the pen and the two dimensional output are difficult for others to reproduce.

Something you have – Another one of the categories of authentication factors. It specifically refers to tokens and other items that a user can possess physically, as the “you have” indicates.

Something you know – Another one of the categories of authentication factors. It specifically refers to passwords, as the “you know” indicates. The most common example of something you know is a password.

Somewhere you are – Another one of the categories of authentication factors. One of the more stringent elements is your location, or somewhere you are. Location can be compared to records to determine if you are really there, or even should be there.

Key Terms (8 of 9)

Superuser

Terminal Access Controller Access Control System+ (TACACS+)

Ticket-granting server (TGS)

Ticket-granting ticket (TGT)

Time-based One-Time Password (TOTP)

Time-of-day restrictions

Token

Transitive truest

Tunneling

Usage auditing and review

Principles of Computer Security, Fifth Edition

Superuser – Accounts that accounts are not typically assigned to a specific individual and are restricted, accessed only when the full capabilities of that account are required.

Terminal Access Controller Access Control System+ (TACACS+) – The current generation of the TACACS protocol family. TACACS+ extended the attribute control and accounting processes.

Ticket-granting server (TGS) – A portion of the Kerberos authentication system.

Ticket-granting ticket (TGT) – The first ticket issued in the Kerberos environment. The KDC verifies credentials and issues a ticket-granting ticket (TGT) which the user presents for service to the KDC.

Time-based One-Time Password (TOTP) – An algorithm that is a specific implementation of an HOTP that uses a secret key with a current time stamp to generate a one-time password.

Time-of-day restrictions – Specify restrictions that limit when a user can log in, when certain resources can be accessed, and so on. Time-of-day restrictions are usually specified for individual accounts.

Token – A hardware device that can be used in a challenge-response authentication process.

Transitive trust – A relationship where the trust relationship extended to one domain will be extended to any other domain trusted by that domain.

Tunneling – The encapsulation of one packet within another, which allows you to hide the original packet from view or change the nature of the network transport. This can be done for both security and practical reasons.

Usage auditing and review – An examination of logs to determine user activity. Reviewing access control logs for root level accounts is an important element of securing access control methods.

Key Terms (9 of 9)

User

Username

Virtual private network (VPN)

Principles of Computer Security, Fifth Edition

User – A term that generally applies to any person accessing a computer system. In privilege management, a user is a single individual, such as “John Forthright” or “Sally Jenkins.” This is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities.

Username – A unique alphanumeric identifier that a user will use to identify himself or herself when logging into or accessing the system.

Virtual private network (VPN) – An encrypted network connection across another network, offering a private communication channel across a public medium.

Introduction

Privileges mean you have the ability to “do something” on a computer.

Privilege management is the process of restricting a user’s ability to interact with the computer system.

Remote access enables users outside a network to have network access and privileges as if they were inside the network.

Authentication is the process of establishing a user’s identity to enable the granting of permissions.

Principles of Computer Security, Fifth Edition

Essentially, everything a user can do to or with a computer system falls into the realm of privilege management. Privilege management occurs at many different points within an operating system or even within applications running on a particular operating system.

Remote access is another key issue for multiuser systems in today’s world of connected computers. Isolated computers, not connected to networks or the Internet, are rare items these days.

To establish network connections, a variety of methods are used, the choice of which depends on network type, the hardware and software employed, and any security requirements.

User, Group, and Role Management

To effectively manage privileges, a mechanism for separating people into distinct entities (users) is required.

It is convenient and efficient to be able to lump users together when granting many different people (groups) access to a resource at the same time.

It is useful to be able to grant or restrict access based on a person’s job or function within the organization (role).

Principles of Computer Security, Fifth Edition

While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient.

User (1 of 4)

The term user generally applies to any person accessing a computer system.

In privilege management, a user is a single individual.

A username is a unique alphanumeric identifier the user will use to identify himself or herself when logging into or accessing the system.

Principles of Computer Security, Fifth Edition

The concept of a user is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities.

When developing a scheme for selecting usernames, you should keep in mind that usernames must be unique to each user, but they must also be fairly easy for the user to remember and use.

With some notable exceptions, in general a user who wants to access a computer system must first have a username created for him on the system he wishes to use. This is usually done by a system administrator, security administrator, or other privileged user, and this is the first step in privilege management—a user should not be allowed to create their own account.

User (2 of 4)

Rights define the actions a user can perform on the system itself.

Permissions control what the user is allowed to do with objects on the system.

Principles of Computer Security, Fifth Edition

User (3 of 4)

“Special” user accounts are reserved for special functions and typically have much more access and control.

The administrator account under Windows and the root account under UNIX

Both known as the superuser

Must be protected with strong passwords

The system account used by Windows operating systems

Granted full control to all files on an NTFS volume by default

Principles of Computer Security, Fifth Edition

User (4 of 4)

Figure 11.1 Users tab on a Windows Server 2008 system

Principles of Computer Security, Fifth Edition

This figure shows the Users management tab of the Computer Management utility on a Windows Server 2008 system. Note that several user accounts have been created on this system, each identified by a unique username.

Shared and generic accounts/credentials

Shared accounts go against the specific treatise that accounts exist so that user activity can be tracked.

Shared accounts are called generic accounts

Shared accounts exist only to provide a specific set of functionality

Example: PC running in kiosk mode, with a browser limited to specific sites as an information display

Tracing the activity to a user is not particularly useful.

Principles of Computer Security, Fifth Edition

Guest accounts

Guest accounts are frequently used on corporate networks

Provide visitors’ access to the Internet

Provide common corporate resources

Accounts are restricted in their network capability to a defined set of machines with a defined set of access

Logging and tracing activity have little to no use

Overhead of establishing an account does not make sense

Principles of Computer Security, Fifth Edition

Service accounts

Service accounts are used to run processes that do not require human intervention to start/stop/administer.

Windows systems may not allow them to log into the system.

Limits attack vectors that can be applied to these accounts

Can apply time restrictions for accounts that run batch jobs at night and then monitor when they run.

Service accounts that run in an elevated privilege mode should receive extra monitoring and scrutiny.

Principles of Computer Security, Fifth Edition

Privileged accounts

Privileged accounts have greater than normal user access.

Privileged accounts are typically root or admin-level accounts and represent risk in that they are unlimited in their powers.

Require regular real-time monitoring, if at all possible, and should always be monitored when operating remotely.

There may be reasons why system administrators are acting via a remote session, but when they are, the purposes should be known and approved.

Principles of Computer Security, Fifth Edition

Group (1 of 3)

Under privilege management, a group is a collection of users with some common criteria, such as a need for access to a particular dataset or group of applications.

A new user added to a group will automatically allow that user to access that resource “inherits” the permissions of the group as soon as she is placed in that group.

Some operating systems have built-in groups.

Makes the tasks of assigning and managing permissions easier

Principles of Computer Security, Fifth Edition

Group (2 of 3)

Figure 11.2 Logical representation of groups

Principles of Computer Security, Fifth Edition

This figure shows a common approach to grouping users—building groups based on job function.

Group (3 of 3)

Figure 11.3 Groups tab on a Windows Server 2008 system

Principles of Computer Security, Fifth Edition

As this figure shows, a computer system can have many different groups, each with its own rights and permissions.

As you can see from the description for the Administrators group in this figure, this group has complete and unrestricted access to the system. This includes access to all files, applications, and datasets. Anyone who belongs to the Administrators group or is placed in this group will have a great deal of access and control over the system.

Role

A role is usually synonymous with a job or set of functions.

Security admins need to accomplish specific functions

In general, anyone serving in the role of security admin needs the same rights and privileges as every other security admin.

For simplicity and efficiency, rights and privileges can be assigned to the role security admin, and anyone assigned to fulfill that role automatically has the correct rights and privileges to perform the required tasks.

Principles of Computer Security, Fifth Edition

For example, the role of security admin in Microsoft SQL Server may be applied to someone who is responsible for creating and managing logins, reading error logs, and auditing the application.

Domain Password Policy (1 of 2)

A domain password policy is a password policy for a specific domain.

The domain controller is a computer that responds to security authentication requests, such as logging into a computer.

The domain password policy usually falls under a group policy object (GPO) and has several elements.

Domains are logical groups of computers that share a central directory database, known as the Active Directory database.

Principles of Computer Security, Fifth Edition

The database contains information about the user accounts and security information for all resources identified within the domain. Each user within the domain is assigned his or her own unique account (that is, a domain is not a single account shared by multiple users), which is then assigned access to specific resources within the domain. In operating systems that provide domain capabilities, the password policy is set in the root container for the domain and applies to all users within that domain. Setting a password policy for a domain is similar to setting other password policies in that the same critical elements need to be considered (password length, complexity, life, and so on). If a change to one of these elements is desired for a group of users, a new domain needs to be created because the domain is considered a security boundary. In a Windows operating system that employs Active Directory, the domain password policy can be set in the Active Directory Users and Computers menu in the Administrative Tools section of the Control Panel.

Domain Password Policy (2 of 2)

Figure 11.4 Password policy options in Windows Local Security Policy

Principles of Computer Security, Fifth Edition

Elements of the group policy object (GPO):

Enforce password history Tells the system how many passwords to remember and does not allow a user to reuse an old password.

Maximum password age Specifies the maximum number of days a password may be used before it must be changed.

Minimum password age Specifies the minimum number of days a password must be used before it can be changed again.

Minimum password length Specifies the minimum number of characters that must be used in a password.

Password must meet complexity requirements Specifies that the password must meet the minimum length requirement and have characters from at least three of the following four groups: English uppercase characters (A through Z), English lowercase characters (a through z), numerals (0 through 9), and non-alphabetic characters (such as !, $, #, %).

Store passwords using reversible encryption Reversible encryption is a form of encryption that can easily be decrypted and is essentially the same as storing a plaintext version of the password (because it’s so easy to reverse the encryption and get the password). This should be used only when applications use protocols that require the user’s password for authentication (such as Challenge-Handshake Authentication Protocol, or CHAP).

Single Sign-On (1 of 2)

Single sign-on (SSO) is a form of authentication that involves the transferring of credentials between systems.

Single sign-on allows a user to transfer her credentials, so that logging into one system acts to log her into all of them.

SSO is usually a little more difficult to implement than vendors would lead you to believe.

Principles of Computer Security, Fifth Edition

Once the user has entered a user ID and password, the single sign-on system passes these credentials transparently to other systems so that repeated logons are not required. Put simply, you supply the right username and password once and you have access to all the applications and data you need, without having to log in multiple times and remember many different passwords. From a user standpoint, SSO means you need to remember only one username and one password. From an administration standpoint, SSO can be easier to manage and maintain. From a security standpoint, SSO can be even more secure, as users who need to remember only one password are less likely to choose something too simple or something so complex they need to write it down.

In reality, SSO is usually a little more difficult to implement than vendors would lead you to believe. To be effective and useful, all your applications need to be able to access and use the authentication provided by the SSO process. The more diverse your network, the less likely this is to be the case. If your network, like most, contains different operating systems, custom applications, and a diverse user base, SSO may not even be a viable option.

Single Sign-On (2 of 2)

Figure 11.5 Single sign-on process

Principles of Computer Security, Fifth Edition

This figure shows a logical depiction of the SSO process:

1. The user signs in once, providing a username and password to the SSO server.

2. The SSO server provides authentication information to any resource the user accesses during that session. The server interfaces with the other applications and systems—the user does not need to log into each system individually.

Security controls and permissions (1 of 2)

Most operating systems use the concepts of permissions and rights to control and safeguard access to resources.

Windows operating system provides an example.

Uses the concepts of permissions and rights to control access to files, folders, and information resources

Uses user rights or privileges to determine actions a user or group is allowed to perform or access

Principles of Computer Security, Fifth Edition

Security controls and permissions (2 of 2)

Windows operating system (continued)

Rights tend to be actions that deal with accessing the system itself, process control, logging, and so on.

Even access and use of peripherals such as printers can be controlled using permissions.

A very important concept to consider when assigning rights and privileges is the concept of least privilege.

Requires that users be given the absolute minimum number of rights and privileges required to perform their authorized duties.

Principles of Computer Security, Fifth Edition

Access Control Lists (1 of 4)

Access control list (ACL) is used in more than one manner in the field of computer security.

Routers and firewalls: An ACL is a set of rules used to control traffic flow into or out of an interface or network.

System resources: An ACL lists permissions attached to an object.

An access control matrix provides the simplest framework for illustrating the process.

Seldom used in computer systems because it is extremely costly in terms of storage space and processing

Principles of Computer Security, Fifth Edition

Access Control Lists (2 of 4)

Figure 11.9 Permissions for Billy Williams on the Data folder

Principles of Computer Security, Fifth Edition

This figure shows the access control list (permissions) for the Data folder. The user identified as Billy Williams has Read & Execute, List Folder Contents, and Read permissions, meaning this user can open the folder, see what’s in the folder, and so on.

Access Control Lists (3 of 4)

Figure 11.10 Permissions for Leah Jones on the Data folder

Principles of Computer Security, Fifth Edition

This figure shows the permissions for a user identified as Leah Jones, who has only Read permissions on the same folder.

Access Control Lists (4 of 4)

Table 11.1	An Access Control Matrix
	Process 1	Process 2	File 1	File 2	Printer
Process 1	Read, write, execute		Read, write	Read	Write
Process 2	Execute	Read, write, execute	Read, write	Read, write	Write

Principles of Computer Security, Fifth Edition

Mandatory Access Control (MAC) (1 of 2)

Mandatory access control (MAC) is the process of controlling access to information based on the sensitivity of that information and whether or not the user is operating at the appropriate sensitivity level and has the authority to access that information.

Information and resources labeled with a sensitivity level

Users assigned a clearance level

Access control and sensitivity labels required in a MAC system

Principles of Computer Security, Fifth Edition

Under a MAC system, each piece of information and every system resource (files, devices, networks, and so on) is labeled with its sensitivity level (such as Public, Engineering Private, Jones Secret). Users are assigned a clearance level that sets the upper boundary of the information and devices that they are allowed to access. The access control and sensitivity labels are required in a MAC system. Labels are defined and then assigned to users and resources. Users must then operate within their assigned sensitivity and clearance levels—they don’t have the option to modify their own sensitivity levels or the levels of the information resources they create. Due to the complexity involved, MAC is typically run only on systems where security is a top priority such as Trusted Solaris, OpenBSD, and SELinux.

Exam Tip: Mandatory access control restricts access based on the sensitivity of the information and whether or not the user has the authority to access that information.

Mandatory Access Control (MAC) (2 of 2)

Figure 11.11 Logical representation of mandatory access control

Principles of Computer Security, Fifth Edition

This figure illustrates MAC in operation. The information resource on the left has been labeled “Engineering Secret,” meaning only users in the Engineering group operating at the Secret sensitivity level or above can access that resource. The top user is operating at the Secret level but is not a member of Engineering and is denied access to the resource. The middle user is a member of Engineering but is operating at a Public sensitivity level and is therefore denied access to the resource. The bottom user is a member of Engineering, is operating at a Secret sensitivity level, and is allowed to access the information resource.

Discretionary Access Control (1 of 2)

Discretionary access control (DAC) is the process of using file permissions and optional ACLs to restrict access to information based on a user’s identity or group membership.

Most common access control system and is commonly used in both UNIX and Windows operating systems.

Under the DAC model, the file’s owner can change the file’s permissions any time he wants.

Principles of Computer Security, Fifth Edition

Under UNIX operating systems, file permissions consist of three distinct parts:

Owner permissions (read, write, and execute) The owner of the file

Group permissions (read, write, and execute) The group to which the owner of the file belongs

World permissions (read, write, and execute) Anyone else who is not the owner and does not belong to the group to which the owner of the file belongs

Discretionary Access Control (2 of 2)

Figure 11.12 Discretionary file permissions in the UNIX environment

Principles of Computer Security, Fifth Edition

In UNIX, a file’s permissions are usually displayed as a series of nine characters, with the first three characters representing the owner’s permissions, the second three characters representing the group permissions, and the last three characters representing the permissions for everyone else, or for the world. This concept is illustrated in this figure.

Suppose the file secretdata is owned by Luke with group permissions for Engineering (because Luke is part of the Engineering group), and the permissions on that file are rwx, rw-, and ---, as shown in this figure. This would mean that:

Luke can read, write, and execute the file (rwx).

Members of the Engineering group can read and write the file but not execute it (rw-).

The world has no access to the file and cannot read, write, or execute it (---).

Role-Based Access Control (RBAC)

Role-based access control (RBAC) is the process of managing access and privileges based on the user’s assigned roles.

RBAC is the access control model that most closely resembles an organization’s structure.

Under RBAC, you must first determine the activities that must be performed and the resources that must be accessed.

When a role is assigned to a specific user, the user gets all the rights and privileges assigned to that role.

Principles of Computer Security, Fifth Edition

In this scheme, instead of each user being assigned specific access permissions for the objects associated with the computer system or network, that user is assigned a set of roles that the user may perform. The roles are in turn assigned the access permissions necessary to perform the tasks associated with the role. Users will thus be granted permissions to objects in terms of the specific duties they must perform—not just because of a security classification associated with individual objects.

Unfortunately, in reality, administrators often find themselves in a position of working in an organization where more than one user has multiple roles or even access to multiple accounts (a situation quite common in smaller organizations). Users with multiple accounts tend to select the same or similar passwords for those accounts, thereby increasing the chance one compromised account can lead to the compromise of other accounts accessed by that user. Where possible, administrators should first eliminate shared or additional accounts for users and then examine the possibility of combining roles or privileges to reduce the “account footprint” of individual users.

Rule-Based Access Control

In rule-based access control, access is either allowed or denied based on a set of predefined rules.

Each object has an associated ACL (much like DAC), and when a particular user or group attempts to access the object, the appropriate rule is applied.

A good example for rule-based access control is permitted logon hours.

Many operating systems give administrators the ability to control the hours during which users can log in.

Principles of Computer Security, Fifth Edition

Rule-based access control is yet another method of managing access and privileges (and unfortunately shares the same acronym as role-based access control). In this method, access is either allowed or denied based on a set of predefined rules. Each object has an associated ACL (much like DAC), and when a particular user or group attempts to access the object, the appropriate rule is applied. A good example for rule-based access control is permitted logon hours.

Many operating systems give administrators the ability to control the hours during which users can log in. For example, a bank may allow its employees to log in only between the hours of 8 A.M. and 6 P.M. Monday through Saturday. If a user attempts to log in outside of these hours, 3 A.M. on Sunday for example, then the rule will reject the login attempt whether or not the user supplies valid login credentials.

Exam Tip: Role-based and rule-based access control can both be abbreviated as RBAC. Standard convention is for RBAC to be used to denote role-based access control. A seldom-seen acronym for rule-based access control is RB-RBAC. Role-based focuses on the user’s role (administrator, backup operator, and so on). Rule-based focuses on predefined criteria such as time of day (users can only log in between 8 A.M. and 6 P.M.) or type of network traffic (web traffic is allowed to leave the organization).

Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) is a new access control schema based on the use of attributes associated with an identity.

These can use any type of attributes.

User attributes, resource attributes, environment attributes, and so on

ABAC can be represented via the eXtensible Access Control Markup Language (XACML), a standard that implements attribute- and policy-based access control schemes.

Principles of Computer Security, Fifth Edition

Account policies

Good set of policies guide security professionals in daily tasks

Policies needed for a wide range of elements

Naming conventions to operating rules, such as audit frequency and other specifics

Having issues resolved as a matter of policy enables security professionals to go about the task of verifying and monitoring systems

Avoids adjudication of policy type issues with each user case

Principles of Computer Security, Fifth Edition

Account policy Enforcement (1 of 2)

Passwords: primary method of account policy enforcement

Foundation of a solid account policy:

Each user ID is traceable to a single person’s activity

No sharing of passwords and credentials

Passwords need to be managed to provide appropriate levels of protection

Principles of Computer Security, Fifth Edition

Account policy Enforcement (2 of 2)

Passwords need to be strong enough to resist attack, and yet not too difficult for users to remember.

Password policy ensures necessary steps taken to enact a secure password solution

By users and by the password infrastructure system

Principles of Computer Security, Fifth Edition

Credential Management

Credential management:

Processes, services, and software used to store, manage, and log the use of user credentials

Credential management solutions:

Typically aimed at assisting end users manage their growing set of passwords

Credential management products

Provide secure means of storing user credentials

Make credentials available across a wide range of platforms

Principles of Computer Security, Fifth Edition

Group Policy

Microsoft Windows systems in an enterprise environment can be managed via group policy objects (GPOs).

GPOs act through a set of registry settings that can be managed via the enterprise.

A wide range of settings can be managed via GPOs

Many are related to security including user credential settings such as password rules.

Principles of Computer Security, Fifth Edition

Standard Naming Convention

Having a standard naming convention enables users to extract meaning from a name.

However, calling out has two potential problems.

Alerts adversaries to which accounts are the most valuable.

Creates a problem when the person is no longer a member of the system administrators group, as now the account must be renamed.

Plan on having plenty of room ahead for fixing any naming scheme.

Principles of Computer Security, Fifth Edition

Account Maintenance (1 of 2)

Account maintenance is the routine screening of all tributes for an account.

Best practice: perform in accordance with risk associated with the profile.

System administrators, and other privileged accounts, need greater scrutiny that normal users.

Shared accounts, such as guest accounts, also require scrutiny to ensure they are not abused.

Principles of Computer Security, Fifth Edition

Account Maintenance (2 of 2)

Important to note that the job of determining who has what access is actually one that belongs to the business, not the security group.

The business side of the house is where the policy decision on who should have access is determined.

Account maintenance is a joint responsibility

Principles of Computer Security, Fifth Edition

Usage auditing and review (1 of 2)

Usage auditing and Review is an examination of logs to determine user activity.

Reviewing access control logs for root level accounts is an important element of securing access control methods.

Power and potential for misuse, administrative or root-level accounts should be closely monitored

One important element for continuous monitoring of production

Use of an administrative-level account on a production system

Principles of Computer Security, Fifth Edition

Usage auditing and review (2 of 2)

Strong configuration management environment includes control of access to production systems by users who can change the environment.

Root-level changes in a system tend to be significant changes

Approved changes in advance in production environment.

Compare all root-level activity against approved changes

Assists in the detection of activity that is unauthorized.

Principles of Computer Security, Fifth Edition

Time-of-Day Restrictions

Time-of-day restrictions limit when a user can log in, when certain resources can be accessed, and so on.

From a security perspective, time of day restrictions can be very useful.

Time of day restrictions can also serve as a mechanism to enforce internal controls of critical or sensitive resources.

A drawback is that a user cannot go to work outside of normal hours to “catch up” with work tasks.

Principles of Computer Security, Fifth Edition

Account Expiration

Operating systems allow administrators to specify the length of time an account is valid and when the “account expires” or is disabled.

Great for controlling temporary accounts

Organizations must define whether accounts are deleted or disabled when no longer needed.

Deleting an account removes the account from the system permanently.

Disabling an account leaves it in place but marks it as unusable.

Principles of Computer Security, Fifth Edition

This is a great method for controlling temporary accounts, or accounts for contractors or contract employees. For these accounts, the administrator can specify an expiration date; when the date is reached, the account automatically becomes locked out and cannot be logged into without administrator intervention. A related action can be taken with accounts that never expire: they can automatically be marked “inactive” and locked out if they have been unused for a specified number of days. Account expiration is similar to password expiration, in that it limits the time window of potential compromise. When an account has expired, it cannot be used unless the expiration deadline is extended.

Many organizations disable accounts for a period of time after an employee departs (30 or more days) prior to deleting the account. This prevents anyone from using the account and allows administrators to reassign files, forward mail, and “clean up” before taking any permanent actions on the account.

Preventing Data Loss or Theft

Today’s hackers are after intellectual property, business plans, competitive intelligence, personal information, credit card numbers, client records, or any other information that can be sold, traded, or manipulated for profit.

This has created a whole industry of technical solutions labeled data loss prevention (DLP) solutions.

The best DLP solution is a combination of security elements, some to secure data in storage (encryption) and some in the form of monitoring.

Principles of Computer Security, Fifth Edition

The Remote Access Process (1 of 2)

The three steps in the establishment of proper privileges are authentication, authorization, and accounting, referred to as AAA.

Authentication is the matching of user-supplied credentials to previously stored credentials on a host machine, and it usually involves an account username and password.

Authorization is the granting of specific permissions based on the privileges held by the account.

Principles of Computer Security, Fifth Edition

The Remote Access Process (2 of 2)

Accounting is the collection of billing and other detail records.

Once the user is authenticated, the authorization step takes place.

Remote authentication usually takes the common form of an end user submitting his credentials via an established protocol to a remote access server (RAS), which acts upon those credentials, either granting or denying access.

Principles of Computer Security, Fifth Edition

Identification

Identification is the process of ascribing a computer ID to a specific user, computer, network device, or computer process.

The identification process is typically performed only once, when a user ID is issued to a particular user.

User identification enables authentication and authorization to form the basis for accountability.

For accountability purposes, user IDs should not be shared, and for security purposes, they should not be descriptive of job function.

Principles of Computer Security, Fifth Edition

This practice enables you to trace activities to individual users or computer processes so that they can be held responsible for their actions. Identification links the logon ID or user ID to credentials that have been submitted previously to either HR or the IT staff. A required characteristic of user IDs is that they must be unique so that they map back to the credentials presented when the account was established.

Authentication (1 of 16)

Authentication is the process of binding a specific ID to a specific computer connection.

Two items need to be presented to cause this binding to occur—the user ID, and some “secret” to prove that the user is the valid possessor of the credentials.

Historically, three categories of secrets are used to authenticate the identity of a user:

What users know, what users have, and what users are

Today, an additional category is used: what users do.

Principles of Computer Security, Fifth Edition

These methods can be used individually or in combination. These controls assume that the identification process has been completed and the identity of the user has been verified. It is the job of authentication mechanisms to ensure that only valid users are admitted. Described another way, authentication is using some mechanism to prove that you are who you claimed to be when the identification process was completed.

For greater security, you can add an element from a separate group, such as a smart card token—something a user has in her possession. Passwords are common because they are one of the simplest forms and use user memory as a prime component. Because of their simplicity, passwords have become ubiquitous across a wide range of authentication systems.

Authentication (2 of 16)

Password is most common authentication method.

An element from a separate group can be added for greater security, such as a smart card token—something a user has in her possession.

Another method to provide authentication involves the use of something that only valid users should have in their possession.

The third general method to provide authentication involves something that is unique about you.

Principles of Computer Security, Fifth Edition

A new method, based on how users perform an action, such as their gait when walking, or typing patterns has emerged as a source of a personal “signature”.

Authentication (3 of 16)

Basic authentication is the simplest technique used to manage access control across HTTP.

Basic authentication operates by passing information encoded in Base64 form using standard HTTP headers.

This is a plaintext method without any pretense of security.

Principles of Computer Security, Fifth Edition

Authentication (4 of 16)

Figure 11.14 How basic authentication operates

Principles of Computer Security, Fifth Edition

This figure illustrates the operation of basic authentication.

Authentication (5 of 16)

Digest authentication is a method used to negotiate credentials across the Web.

Digest authentication uses hash functions and a nonce to improve security over basic authentication.

Digest authentication, although it improves security over basic authentication, does not provide any significant level of security.

Passwords are not sent in the clear.

Digest authentication is subject to man-in-the-middle attacks and potentially replay attacks.

Principles of Computer Security, Fifth Edition

Authentication (6 of 16)

Figure 11.15 How digest authentication operates

Principles of Computer Security, Fifth Edition

Authentication works as follows, as illustrated in this figure:

1. The client requests login.

2. The server responds with a challenge and provides a nonce.

3. The client hashes the password and nonce.

4. The client returns the hashed password to the server.

5. The server requests the password from a password store.

6. The server hashes the password and nonce.

7. If both hashes match, login is granted.

Authentication (7 of 16)

Kerberos is a network authentication protocol designed for a client/server environment.

Kerberos is built around the idea of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an authentication server (AS) and a ticket-granting server (TGS).

Kerberos communicates via “tickets” that serve to prove the identity of users.

The basis for authentication in a Kerberos environment is the ticket.

Tickets are used in a two-step process with the client.

Principles of Computer Security, Fifth Edition

Developed as part of MIT’s project Athena, Kerberos is a network authentication protocol designed for a client/server environment. The current version is Kerberos 5 release 1.13.2 and is supported by all major operating systems.

Taking its name from the three-headed dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently insecure environment. Kerberos uses strong encryption so that a client can prove its identity to a server and the server can in turn authenticate itself to the client. A complete Kerberos environment is referred to as a Kerberos realm. The Kerberos server contains user IDs and hashed passwords for all users that will have authorizations to realm services. The Kerberos server also has shared secret keys with every server to which it will grant access tickets.

Authentication (8 of 16)

Figure 11.16 Kerberos operations

Principles of Computer Security, Fifth Edition

The basis for authentication in a Kerberos environment is the ticket.

Tickets are used in a two-step process with the client. The first ticket is a ticket-granting ticket (TGT) issued by the AS to a requesting client. The client can then present this ticket to the Kerberos server with a request for a ticket to access a specific server. This client-to-server ticket (also called a service ticket) is used to gain access to a server’s service in the realm.

Since the entire session can be encrypted, this eliminates the inherently insecure transmission of items such as a password that can be intercepted on the network. Tickets are time-stamped and have a lifetime, so attempting to reuse a ticket will not be successful. This figure details Kerberos operations.

Authentication (9 of 16)

Mutual authentication

Describes a process in which each side of an electronic communication verifies the authenticity of the other.

This provides a mechanism for each side of a client/server relationship to verify the authenticity of the other to address this issue.

A common method involves using a secure connection, such as Transport Layer Security (TLS), to the server and a one-time password generator that then authenticates the client.

Principles of Computer Security, Fifth Edition

Authentication (10 of 16)

Certificates

A method of establishing authenticity of specific objects such as an individual’s public key or downloaded software.

A digital certificate is a digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from.

Principles of Computer Security, Fifth Edition

Authentication (11 of 16)

Tokens

A token is an authentication factor that typically takes the form of a physical or logical entity that the user must be in possession of to access their account or certain resources.

A token is a hardware device that can be used in a challenge/response authentication process.

It functions as both a something-you-have and something-you-know authentication mechanism.

Several variations on this type of device exist.

All work on the same basic principles.

Principles of Computer Security, Fifth Edition

Authentication (12 of 16)

Tokens (continued)

Tokens are commonly employed in remote authentication schemes as they provide additional surety of the identity of the user, even users who are somewhere else and cannot be observed.

Most tokens are physical tokens that display a series of numbers that changes every 30 to 90 seconds.

Principles of Computer Security, Fifth Edition

Authentication (13 of 16)

Software Tokens

Software tokens still provide two-factor authentication but don’t require the user to have a separate physical device on hand.

Some tokens require software clients that store a symmetric key (sometimes called a seed record) in a secured location on the user’s device (laptop, desktop, tablet, and so on).

Principles of Computer Security, Fifth Edition

Authentication (14 of 16)

Software Tokens (continued)

Other software tokens use public key cryptography.

Asymmetric cryptography solutions, such as public key cryptography, often associate a PIN with a specific user’s token.

The most common form of software token is for identifying a specific device in addition to a user, in that the software token is on the device and the user supplies the rest of the details needed to demonstrate authenticity.

Principles of Computer Security, Fifth Edition

Authentication (15 of 16)

HOTP/TOTP

HMAC-based One-Time Password (HOTP) is an algorithm that can be used to authenticate a user in a system by using an authentication server.

HMAC stands for Hash-based Message Authentication Code.

The Time-based One-Time Password (TOTP) algorithm is a specific implementation of an HOTP that uses a secret key with a current time stamp to generate a one-time password.

Principles of Computer Security, Fifth Edition

Authentication (16 of 16)

Smart cards

Smart cards can increase physical security because they can carry cryptographic tokens that are too long to remember and have too large a space to guess.

Smart cards can find use in a variety of situations where you want to combine something you know (a pin or password) together with something you have (and can’t be duplicated, such as a smart card).

Many standard corporate-type laptops come with smart card readers installed, and their use is integrated into the Windows user access system.

Principles of Computer Security, Fifth Edition

Multifactor Authentication (1 of 7)

Multifactor Authentication is the combination of two or more types of authentication

Also called multiple-factor authentication)

Five broad categories of authentication can be used:

What you are (for example, biometrics)

What you have (for instance, tokens)

What you know (passwords and other information)

Somewhere you are (location)

Something you do (physical performance)

Principles of Computer Security, Fifth Edition

Multifactor Authentication (2 of 7)

Two-factor authentication combines any two categories before granting access.

Three-factor authentication would combine all three types before granting access.

Multifactor authentication methods enhance security

Difficult for attacker to obtain correct materials for authentication

Protect against the risk of stolen tokens

Enhances biometric system security by protecting against a stolen biometric

Principles of Computer Security, Fifth Edition

Multifactor Authentication (3 of 7)

Multifactor authentication is one of the best ways to ensure proper authentication and access control.

Something you are

Specifically refers to biometrics as the “you are” indicates.

Challenges:

Typically hard to change, so once assigned they become immutable.

Have issues associated with measuring things on a person

Principles of Computer Security, Fifth Edition

Multifactor Authentication (4 of 7)

Something you have

Specifically refers to tokens and other items that a user can possess physically

Challenges:

You have to have it with you whenever you wish to be authenticated

Relies on interfaces that might not be available for some systems

Principles of Computer Security, Fifth Edition

Multifactor Authentication (5 of 7)

Something you know

Specifically refers to passwords, as the “you know” indicates.

Common example: a password

Challenge:

Can be “shared” without the user knowing about it

Principles of Computer Security, Fifth Edition

Multifactor Authentication (6 of 7)

Something you do

Specifically refers to activities, as the “you do” indicates

Example: a signature

Movement of the pen and the two dimensional output are difficult for others to reproduce

Useful for authentication

Challenges exist in data capturing

Principles of Computer Security, Fifth Edition

Multifactor Authentication (7 of 7)

Somewhere you are

A more stringent element is location (somewhere you are)

Compare location to records to determine if you are really there, or even should be there.

Principles of Computer Security, Fifth Edition

Transitive trust

Security across multiple domains is provided through trust relationships.

It is important to note that trust relationships apply only to authentication.

A transitive trust relationship means that the trust relationship extended to one domain will be extended to any other domain trusted by that domain.

A two-way trust relationship means that two domains trust each other.

Principles of Computer Security, Fifth Edition

Biometric factors (1 of 14)

Biometrics factors use the measurements of certain biological features to identify one specific person from other people.

Factors based on unique human body parts

Fingerprint: most well-known

Other biological factors: retina or iris of the eye, hand geometry and face geometry

The other factors use two-part process: enrollment and then authentication

Principles of Computer Security, Fifth Edition

Biometric factors (2 of 14)

In the real world biometrics breaks down

Biometrics takes analog signal (fingerprint) and digitizes it

Digital version is then matched against digits in the database

Problem with an analog signal is that it might not encode the exact same way twice.

Principles of Computer Security, Fifth Edition

Biometric factors (3 of 14)

Fingerprint scanner

Used to measure the unique shape of fingerprints and then change them to a series of numerical values, or a template.

Fingerprint scanners are cheap to produce and have widespread use in mobile devices.

Challenge of fingerprint scanners: they fail if the user is wearing gloves or has worn-down fingerprints

Principles of Computer Security, Fifth Edition

Biometric factors (4 of 14)

Retinal scanner

Examine blood vessel patterns in the back of the eye.

Believed to be unique and unchanging

Challenges:

Suffers from user acceptance

Psychological issues result from having a laser scanning the inside of the user’s eyeball

Detection is close up and user has to be right at the device for it to work

More expensive because of detector precision and the involvement of lasers and users’ vision

Principles of Computer Security, Fifth Edition

Biometric factors (5 of 14)

Iris scanner

Work in a way similar to retinal scanners in that they use an image of a unique biological measurement (in this case, the pigmentation associated with the iris of the eye).

Downsides:

The measurement can be taken at a distance, making it easy to measure other people’s values

Contact lenses can be constructed that mimic a certain pattern

Medical issues such as diseases, which if revealed would be a violation of privacy

Principles of Computer Security, Fifth Edition

Biometric factors (6 of 14)

Voice recognition

Voice recognition is the use of unique tonal qualities and speech patterns to identify a person.

This biometric has been one of the hardest to develop into a reliable mechanism, primarily because of problems with false acceptance and rejection rates.

Facial recognition

Became viable when it was integrated into mobile phones.

Works fairly well.

Major drawback is that another person can move the phone in front of the registered user and unlock it

Principles of Computer Security, Fifth Edition

Biometric factors (7 of 14)

False positives and false negatives

A false positive is where you receive a positive result for a test, when you should have received a negative result.

Occurs when a biometric is scanned and allows access to someone who is not authorized

A false negative occurs when the system denies access to someone who is actually authorized

Example: a user at the hand geometry scanner may have forgotten to wear a ring they usually wear and the computer doesn’t recognize their hand and denies them access.

Principles of Computer Security, Fifth Edition

Biometric factors (8 of 14)

False positives and false negatives (continued)

A false positive is called a type I error

Considered to be more serious.

A false negative is called a type II error.

For biometric authentication to work properly, and also be trusted, it must minimize the existence of both false positives and false negatives.

Principles of Computer Security, Fifth Edition

Biometric factors (9 of 14)

False acceptance rate

The false acceptance rate (FAR) is what level of false positives are going to be allowed in the system.

If an unauthorized user is accepted by the system, this is a false acceptance.

When selecting the threshold value, the designer must be cognizant of two factors:

The rejection of a legitimate biometric

The acceptance of a false positive

Principles of Computer Security, Fifth Edition

Biometric factors (10 of 14)

False rejection rate

The false rejection rate (FRR) is what level of false negatives, or rejections, are going to be allowed in the system.

If an authorized user is rejected by the system, this is a false rejection.

The FRR is calculated by counting the number of authorized access attempts that were not granted, divided by the total number of access attempts.

Principles of Computer Security, Fifth Edition

Biometric factors (11 of 14)

Crossover error rate

The crossover error rate (CER) is the rate where both accept and reject error rates are equal.

This is the desired state for most efficient operation.

Can be managed by manipulating the threshold value used for matching.

In practice, the values might not be exactly the same, but they will typically be close to each other.

Also known as the equal error rate (EER).

Principles of Computer Security, Fifth Edition

Biometric factors (12 of 14)

Biometrics calculation example

Using a fingerprint biometric system with 1000 users.

Five users were unable to enroll.

System has a failure to enroll rate (FER) of 0.5 percent.

995 users can use the system.

During the testing of the 995 users, 50 users were rejected when the system matched their fingerprint against their enrollment fingerprint template.

Principles of Computer Security, Fifth Edition

Biometric factors (13 of 14)

Biometrics calculation example (continued)

NFA = number of false acceptances, and NIA = number of imposter attempts

FAR = (NFA / NIA) * 100%

So FAR = (50/995) * 100

This makes the FRR 5.02 percent

Also, 25 users out of the 995 users were accepted by the system when the system matched their fingerprint against other users’ fingerprint templates.

Principles of Computer Security, Fifth Edition

Biometric factors (14 of 14)

Biometrics calculation example (continued)

NFR = number of failed rejections, and NEA = number of legitimate access attempts

FRR = (NFR / NEA) * 100%

FRR = (25/995) * 100%

This means the FAR is 2.51 percent.

The lower the FAR and FRR, the better the system.

The ideal situation is setting the thresholds where the FAR and FRR are equal (the crossover error rate).

Principles of Computer Security, Fifth Edition

Authorization (1 of 2)

Authorization is the process of permitting or denying access to a specific resource.

Once identity is confirmed via authentication, specific actions can be authorized or denied.

Purpose is to determine whether a given user who has been identified has permissions for a particular object or resource being requested.

Functionality is frequently part of the operating system and is transparent to users.

The separation of tasks has several advantages.

Principles of Computer Security, Fifth Edition

The separation of tasks, from identification to authentication to authorization, has several advantages. Many methods can be used to perform each task, and on many systems several methods are concurrently present for each task. Separation of these tasks into individual elements allows combinations of implementations to work together. Any system or resource, be it hardware (router or workstation) or a software component (database system), that requires authorization can use its own authorization method once authentication has occurred. This makes for efficient and consistent application of these principles.

Authorization (2 of 2)

The separation of tasks has several advantages (continued)

Many methods can be used to perform each task.

On many systems several methods are concurrently present for each task.

Separation of these tasks into individual elements allows combinations of implementations to work together.

Any system or resource, or software component that requires authorization can use its own authorization method once authentication has occurred.

This makes for efficient and consistent application of these principles.

Principles of Computer Security, Fifth Edition

ACLs (1 of 2)

Access control lists (ACLs) are lists of users and their permitted actions.

Users can be identified in a variety of ways, including by a user ID, a network address, or a token.

The objective is to create a lookup system that allows a device to determine which actions are permitted and which are denied.

Most common implementation is for file systems, where named user IDs are used to determine which file system attributes are permitted to the user.

Principles of Computer Security, Fifth Edition

100

ACLs (2 of 2)

Just as the implicit deny rule applies to firewall rulesets, the explicit deny principle can be applied to ACLs.

When this approach is used for ACL building, allowed traffic must be explicitly allowed by a permit statement.

All of the specific permit commands are followed by a deny all statement in the ruleset.

ACL entries are typically evaluated in a top-to-bottom fashion, so any traffic that does not match a “permit” entry will be dropped by a “deny all” statement placed as the last line in the ACL.

Principles of Computer Security, Fifth Edition

101

Remote Access Methods

When a user requires access to a remote system, the process of remote access is used to determine the appropriate controls.

Principles of Computer Security, Fifth Edition

102

IEEE 802.1x (1 of 2)

IEEE 802.1X is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router.

Used by all types of networks

Describes methods used to authenticate a user prior to granting access to a network and the authentication server, such as a RADIUS server

Acts through an intermediate device, such as an edge switch, enabling ports to carry normal traffic if the connection is properly authenticated

Principles of Computer Security, Fifth Edition

IEEE 802.1X is used by all types of networks, including Ethernet, Token Ring, and wireless. This standard describes methods used to authenticate a user prior to granting access to a network and the authentication server, such as a RADIUS server. 802.1X acts through an intermediate device, such as an edge switch, enabling ports to carry normal traffic if the connection is properly authenticated. This prevents unauthorized clients from accessing the publicly available ports on a switch, keeping unauthorized users out of a LAN. Until a client has successfully authenticated itself to the device, only Extensible Authentication Protocol over LAN (EAPOL) traffic is passed by the switch.

EAPOL is an encapsulated method of passing EAP messages over 802.1 frames. EAP is a general protocol that can support multiple methods of authentication, including one-time passwords, Kerberos, public keys, and security device methods such as smart cards. Once a client successfully authenticates itself to the 802.1X device, the switch opens ports for normal traffic. At this point, the client can communicate with the system’s AAA method, such as a RADIUS server, and authenticate itself to the network.

103

IEEE 802.1x (2 of 2)

Until a client has successfully authenticated itself to the device, only Extensible Authentication Protocol over LAN (EAPOL) traffic is passed by the switch.

EAPOL is an encapsulated method of passing EAP messages over 802.1 frames.

IEEE 802.1X is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network.

802.1X over wireless uses either 802.11i or EAP-based protocols, such as EAP-TLS or PEAP-TLS.

Principles of Computer Security, Fifth Edition

EAP is a general protocol that can support multiple methods of authentication, including one-time passwords, Kerberos, public keys, and security device methods such as smart cards. Once a client successfully authenticates itself to the 802.1X device, the switch opens ports for normal traffic. At this point, the client can communicate with the system’s AAA method, such as a RADIUS server, and authenticate itself to the network.

104

LDAP (1 of 2)

A directory is a data storage mechanism similar to a database

Has distinct differences designed to provide efficient data-retrieval services compared to standard database mechanisms.

LDAP is a protocol that is commonly used to handle user authentication/authorization as well as control access to Active Directory objects.

X.500 standard was created as a standard for directory services.

Principles of Computer Security, Fifth Edition

105

LDAP (2 of 2)

Directory Access Protocol (DAP) is a heavyweight protocol is the primary for accessing an X.500 directory

Lightweight Directory Access Protocol (LDAP) created to resolve DAP issues.

Contains the most commonly used functionality

Can interface with X.500 services

Can be used over TCP with significantly less computing resources than a full X.500 implementation

Principles of Computer Security, Fifth Edition

106

RADIUS (1 of 6)

Remote Authentication Dial-In User Service (RADIUS) is an AAA protocol.

Designed as a connectionless protocol

UDP employed as its transport layer protocol

Connection issues handled by the RADIUS application

A client/server protocol

Client is typically a network access server (NAS).

Server is a process or daemon.

Communications between a user and the RADIUS client are subject to compromise.

Principles of Computer Security, Fifth Edition

It was submitted to the Internet Engineering Task Force (IETF) as a series of RFCs: RFC 2058 (RADIUS specification), RFC 2059 (RADIUS accounting standard), and updated RFCs 2865–2869, which are now standard protocols.

RADIUS utilizes UDP port 1812 for authentication and authorization and UDP 1813 for accounting functions.

Network access servers act as intermediaries, authenticating clients before allowing them access to a network. RADIUS, RRAS (Microsoft), RAS, and VPN servers can all act as network access servers.

The RADIUS server is a process or daemon running on a UNIX or Windows Server machine. Communications between a RADIUS client and RADIUS server are encrypted using a shared secret that is manually configured into each entity and not shared over a connection. Hence, communications between a RADIUS client (typically a NAS) and a RADIUS server are secure, but the communications between a user (typically a PC) and the RADIUS client are subject to compromise.

This is important to note, for if the user’s machine (the PC) is not the RADIUS client (the NAS), then communications between the PC and the NAS are typically not encrypted and are passed in the clear.

107

RADIUS (2 of 6)

RADIUS authentication

When the server is given a username and password, it can support Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), UNIX login, and other mechanisms, depending on what was established when the server was set up.

A user login authentication consists of a query (Access-Request) from the RADIUS client and a corresponding response (Access-Accept, Access-Challenge, or Access-Reject) from the RADIUS server.

Principles of Computer Security, Fifth Edition

108

RADIUS (3 of 6)

Figure 11.23 RADIUS communication sequence

Principles of Computer Security, Fifth Edition

A user login authentication consists of a query (Access-Request) from the RADIUS client and a corresponding response (Access-Accept, Access-Challenge, or Access-Reject) from the RADIUS server, as you can see in this figure.

The Access-Challenge response is the initiation of a challenge/response handshake. If the client cannot support challenge/response, then it treats the Challenge message as an Access-Reject.

The Access-Request message contains the username, encrypted password, NAS IP address, and port. The message also contains information concerning the type of session the user wants to initiate. Once the RADIUS server receives this information, it searches its database for a match on the username. If a match is not found, either a default profile is loaded or an Access-Reject reply is sent to the user. If the entry is found or the default profile is used, the next phase involves authorization, for in RADIUS, these steps are performed in sequence.

This figure shows the interaction between a user and the RADIUS client and RADIUS server and the steps taken to make a connection.

109

RADIUS (4 of 6)

RADIUS authorization

The authentication and authorization steps are performed together in response to a single Access-Request message, although they are sequential steps.

Once an identity has been established, either known or default, the authorization process determines what parameters are returned to the client.

Typical parameters include: service type allowed, protocols allowed, IP address to assign to the user, and access list to apply or static route to place in the NAS routing table.

Principles of Computer Security, Fifth Edition

These parameters are all defined in the configuration information on the RADIUS client and server during setup. Using this information, the RADIUS server returns an Access-Accept message with these parameters to the RADIUS client.

110

RADIUS (5 of 6)

RADIUS accounting

Performed independently of RADIUS authentication and authorization

Uses a separate UDP port, 1813

Established to support ISPs in their user accounting; supports typical accounting functions for time billing and security logging

Designed to allow data to be transmitted at the beginning and end of a session, and they can indicate resource utilization, such as time, bandwidth, and so on

Principles of Computer Security, Fifth Edition

111

RADIUS (6 of 6)

Diameter

Name of an AAA protocol suite, designated by the IETF to replace the aging RADIUS protocol

Operates like RADIUS in a client/server configuration

Improves upon RADIUS, resolving discovered weaknesses

A TCP-based service

More extensive AAA capabilities

Designed for all types of remote access

Improved method of encrypting message exchanges to prohibit replay and man-in-the-middle attacks

Principles of Computer Security, Fifth Edition

Taken all together, Diameter, with its enhanced functionality and security, is an improvement on the proven design of the old RADIUS standard.

112

Terminal Access Controller Access Control System+ (TACACS+) (1 of 5)

Fundamental design aspect is the separation of authentication, authorization, and accounting.

TACACS+ uses TCP as its transport protocol, typically operating over TCP port 49.

It is a client/server protocol, with the client typically being a NAS and the server being a daemon process on a UNIX, Linux, or Windows server.

Communications between PC and NAS may not be encrypted.

Principles of Computer Security, Fifth Edition

The Terminal Access Controller Access Control System+ (TACACS+) protocol is the current generation of the TACACS family. Originally TACACS was developed by BBN Planet Corporation for MILNET, an early military network, but it has been enhanced by Cisco, which has expanded its functionality twice. The original BBN TACACS system provided a combination process of authentication and authorization. Cisco extended this to Extended Terminal Access Controller Access Control System (XTACACS), which provided for separate authentication, authorization, and accounting processes. The current generation, TACACS+, has extended attribute control and accounting processes.

One of the fundamental design aspects is the separation of authentication, authorization, and accounting in this protocol. Although there is a straightforward lineage of these protocols from the original TACACS, TACACS+ is a major revision and is not backward-compatible with previous versions of the protocol series.

TACACS+ uses TCP as its transport protocol, typically operating over TCP port 49. This port is used for the login process and is reserved in RFC 3232, “Assigned Numbers,” manifested in a database from the Internet Assigned Numbers Authority (IANA). In the IANA specification, both UDP port 49 and TCP port 49 are reserved for the TACACS+ login host protocol (see Table 11.3 in the “Connection Summary” section at the end of the chapter).

TACACS+ is a client/server protocol, with the client typically being a NAS and the server being a daemon process on a UNIX, Linux, or Windows server.

This is important to note, for if the user’s machine (usually a PC) is not the client (usually a NAS), then communications between PC and NAS are typically not encrypted and are passed in the clear. Communications between a TACACS+ client and TACACS+ server are encrypted using a shared secret that is manually configured into each entity and is not shared over a connection. Hence, communications between a TACACS+ client (typically a NAS) and a TACACS+ server are secure, but the communications between a user (typically a PC) and the TACACS+ client are subject to compromise.

113

TACACS+ (2 of 5)

TACACS+ authentication

TACACS+ allows for arbitrary length and content in the authentication exchange sequence, enabling many different authentication mechanisms to be used with TACACS+ clients.

Authentication is optional and is determined as a site-configurable option.

When authentication is used, common forms include PPP PAP, PPP CHAP, PPP EAP, token cards, and Kerberos.

The authentication process is performed using three different packet types: START, CONTINUE, and REPLY.

Principles of Computer Security, Fifth Edition

The authentication process is performed using three different packet types: START, CONTINUE, and REPLY.

START and CONTINUE packets originate from the client and are directed to the TACACS+ server. The REPLY packet is used to communicate from the TACACS+ server to the client.

114

TACACS+ (3 of 5)

Figure 11.24 TACACS+ communication sequence

Principles of Computer Security, Fifth Edition

The authentication process is illustrated in in this figure, and it begins with a START message from the client to the server. This message may be in response to an initiation from a PC connected to the TACACS+ client. The START message describes the type of authentication being requested (simple plaintext password, PAP, CHAP, and so on). This START message may also contain additional authentication data, such as a username and password. A START message is also sent as a response to a restart request from the server in a REPLY message. A START message always has its sequence number set to 1.

When a TACACS+ server receives a START message, it sends a REPLY message. This REPLY message indicates whether the authentication is complete or needs to be continued. If the process needs to be continued, the REPLY message also specifies what additional information is needed. The response from a client to a REPLY message requesting additional data is a CONTINUE message. This process continues until the server has all the information needed, and the authentication process concludes with a success or failure.

115

TACACS+ (4 of 5)

TACACS+ authorization

Defined as the granting of specific permissions based on the privileges held by the account

Generally occurs after authentication, but not a firm requirement

An optional process and may or may not be part of a site-specific operation

Performed using two message types: REQUEST and RESPONSE

Principles of Computer Security, Fifth Edition

A default state of “unknown user” exists before a user is authenticated, and permissions can be determined for an unknown user.

When it is used in conjunction with authentication, the authorization process follows the authentication process and uses the confirmed user identity as input in the decision process.

The authorization process is performed using two message types: REQUEST and RESPONSE. The authorization process is performed using an authorization session consisting of a single pair of REQUEST and RESPONSE messages. The client issues an authorization REQUEST message containing a fixed set of fields enumerating the authenticity of the user or process requesting permission and a variable set of fields enumerating the services or options for which authorization is being requested.

The RESPONSE message in TACACS+ is not a simple yes or no; it can also include qualifying information, such as a user time limit or IP restrictions. These limitations have important uses, such as enforcing time limits on shell access or enforcing IP access list restrictions for specific user accounts.

116

TACACS+ (5 of 5)

TACACS+ accounting

An optional function of TACACS+

Defined as the process of recording what a user or process has done

Serves two important purposes:

It can be used to account for services being utilized, possibly for billing purposes.

It can be used for generating security audit trails.

Three types of accounting records: START, STOP, and UPDATE

Principles of Computer Security, Fifth Edition

TACACS+ accounting records contain several pieces of information to support these tasks. The accounting process has the information revealed in the authorization and authentication processes, so it can record specific requests by user or process. To support this functionality, TACACS+ has three types of accounting records: START, STOP, and UPDATE. Note that these are record types, not message types as earlier discussed.

117

Authentication Protocols (1 of 20)

Numerous authentication protocols have been developed.

Some did not enjoy market share.

Others have had security issues.

Others have been revised and improved in newer versions.

Principles of Computer Security, Fifth Edition

118

Authentication Protocols (2 of 20)

L2TP and PPTP

Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) are both OSI Layer 2 tunneling protocols.

Tunneling is the encapsulation of one packet within another.

This allows you to hide the original packet from view.

This can be done for both security and practical reasons.

Principles of Computer Security, Fifth Edition

119

Authentication Protocols (3 of 20)

L2TP

Layer 2 Tunneling Protocol (L2TP) is an Internet standard and came from the Layer 2 Forwarding (L2F) protocol, a Cisco initiative designed to address issues with PPTP.

Designed for use across all kinds of networks

Can be implemented by both hardware and software

Designed to work with established AAA services such as RADIUS and TACACS+

Established via UDP port 1701

Principles of Computer Security, Fifth Edition

120

Authentication Protocols (4 of 20)

Point-to-Point Tunneling (PPTP) is a network protocol that enables the secure transfer of data from a remote PC to a server by creating a VPN across a TCP/IP network.

It can also span a public switched telephone network (PSTN) and is thus an economical way of connecting remote dial-in users to a corporate data network.

For most PPTP implementations, three computers are involved: the PPTP client, the NAS, and a PPTP server.

Principles of Computer Security, Fifth Edition

121

Authentication Protocols (5 of 20)

Figure 11.25 PPTP communication diagram

Principles of Computer Security, Fifth Edition

For most PPTP implementations, three computers are involved: the PPTP client, the NAS, and a PPTP server, as shown in this figure.

122

Authentication Protocols (6 of 20)

Figure 11.26 PPTP message encapsulation during transmission

Principles of Computer Security, Fifth Edition

The connection between the remote client and the network is established in stages, as illustrated in this figure.

First the client makes a PPP connection to a NAS, typically an ISP. (In today’s world of widely available broadband, if there is already an Internet connection, then there is no need to perform the PPP connection to the ISP.) Once the PPP connection is established, a second connection is made over the PPP connection to the PPTP server. This second connection creates the VPN connection between the remote client and the PPTP server. A typical VPN connection is one in which the user is in a hotel with a wireless Internet connection, connecting to a corporate network. This connection acts as a tunnel for future data transfers. Although these diagrams illustrate a telephone connection, this first link can be virtually any method. Common in hotels today are wired connections to the Internet. These wired connections typically are provided by a local ISP and offer the same services as a phone connection, albeit at a much higher data transfer rate.

123

Authentication Protocols (7 of 20)

PPP

Point-to-Point Protocol (PPP) is an older, still widely used protocol for establishing dial-in connections over serial lines or Integrated Services Digital Network (ISDN) services.

PPP has several authentication mechanisms: PAP, CHAP, and the Extensible Authentication Protocol (EAP).

Protocols used to authenticate the peer device

PPP is a standardized Internet encapsulation of IP traffic over point-to-point links, such as serial lines.

The authentication process is performed only when the link is established.

Principles of Computer Security, Fifth Edition

124

Authentication Protocols (8 of 20)

Extensible Authentication Protocol (EAP) is a universal authentication framework defined by RFC 3748.

Frequently used in wireless networks and point-to-point connections

Can be used for wired authentication

Most often used in wireless LANs

Principles of Computer Security, Fifth Edition

Extensible Authentication Protocol (EAP) is a universal authentication framework defined by RFC 3748 that is frequently used in wireless networks and point-to-point connections. Although EAP is not limited to wireless and can be used for wired authentication, it is most often used in wireless LANs. EAP is discussed in detail in Chapter 12.

125

Authentication Protocols (9 of 20)

Challenge-Handshake Authentication Protocol (CHAP) is used to provide authentication across a point-to-point link using PPP.

Authentication after the link has been established is not mandatory.

CHAP is designed to provide authentication periodically through the use of a challenge/response system that is sometimes described as a three-way handshake.

Microsoft has created two versions of CHAP.

Principles of Computer Security, Fifth Edition

Microsoft has created two versions of CHAP, modified to increase the usability of CHAP across Microsoft’s product line. MSCHAP v1, defined in RFC 2433, has been deprecated and was dropped in Windows Vista. The current standard, version 2, defined in RFC 2759, was introduced with Windows 2000.

126

Authentication Protocols (10 of 20)

Figure 11.27 The CHAP challenge/response sequence

Principles of Computer Security, Fifth Edition

The three-way handshake is illustrated in this figure. The initial challenge (a randomly generated number) is sent to the client. The client uses a one-way hashing function to calculate what the response should be and then sends this back. The server compares the response to what it calculated the response should be. If they match, communication continues. If the two values don’t match, then the connection is terminated. This mechanism relies on a shared secret between the two entities so that the correct values can be calculated.

127

Authentication Protocols (11 of 20)

NT LAN Manager (NTLM) is an authentication protocol designed by Microsoft for use with the Server Message Block (SMB) protocol.

NTLM v2 is still used when:

Authenticating to a server using an IP address

Authenticating to a server that belongs to a different Active Directory forest

Authenticating to a server that doesn’t belong to a domain

No Active Directory domain exists (“workgroup” or “peer-to-peer” connection)

Principles of Computer Security, Fifth Edition

SMB is an application-level network protocol primarily used for sharing of files and printers in Windows-based networks.

NTLM was designed as a replacement for the LANMAN protocol. The current version is NTLM v2, which was introduced with Windows NT 4.0 SP4. Although Microsoft has adopted the Kerberos protocol for authentication, NTLM v2 is still used when:

Authenticating to a server using an IP address

Authenticating to a server that belongs to a different Active Directory forest

Authenticating to a server that doesn’t belong to a domain

No Active Directory domain exists (“workgroup” or “peer-to-peer” connection)

128

Authentication Protocols (12 of 20)

Password Authentication Protocol (PAP) involves a two-way handshake in which the username and password are sent across the link in cleartext.

PAP authentication does not provide any protection against playback and line sniffing.

PAP is now a deprecated standard.

Principles of Computer Security, Fifth Edition

129

Authentication Protocols (13 of 20)

Telnet is the standard terminal-emulation protocol within the TCP/IP protocol series.

Allows users to log in remotely and access resources as if the user had a local terminal connection

Offers little security, as usernames, passwords, and all data are passed in cleartext over the TCP/IP connection

Makes its connection using TCP port 23

Important to control access to Telnet on machines and routers when setting them up

Principles of Computer Security, Fifth Edition

One of the methods to grant remote access to a system is through Telnet. Telnet is the standard terminal-emulation protocol within the TCP/IP protocol series, and it is defined in RFC 854. Telnet allows users to log in remotely and access resources as if the user had a local terminal connection. Telnet is an old protocol and offers little security. Information, including account names and passwords, is passed in cleartext over the TCP/IP connection.

Telnet makes its connection using TCP port 23. As Telnet is implemented on most products using TCP/IP, it is important to control access to Telnet on machines and routers when setting them up. Failure to control access by using firewalls, access lists, and other security methods, or even by disabling the Telnet daemon, is equivalent to leaving an open door for unauthorized users on a system.

130

Authentication Protocols (14 of 20)

Secure Shell (SSH) is a protocol series designed to facilitate secure network functions across an insecure network.

Designed to replace the insecure Telnet application

Uses TCP port 22

Three major components

Transport layer protocol

User authentication protocol

Connection protocol

Very popular in the UNIX environment

Principles of Computer Security, Fifth Edition

SSH provides direct support for secure remote login, secure file transfer, and secure forwarding of TCP/IP and X Window System traffic. An SSH connection is an encrypted channel, providing for confidentiality and integrity protection.

SSH has its origins as a replacement for the insecure Telnet application from the UNIX operating system. An original component of UNIX, Telnet allowed users to connect between systems. Although Telnet is still used today, it has some drawbacks, as discussed in the preceding section. Some enterprising University of California, Berkeley, students subsequently developed the r- commands, such as rlogin, to permit access based on the user and source system, as opposed to passing passwords. This was not perfect either, however, because when a login was required, it was still passed in the clear. This led to the development of the SSH protocol series, designed to eliminate all of the insecurities associated with Telnet, r- commands, and other means of remote access.

SSH opens a secure transport channel between machines by using an SSH daemon on each end. These daemons initiate contact over TCP port 22 and then communicate over higher ports in a secure mode. One of the strengths of SSH is its support for many different encryption protocols. SSH 1.0 started with RSA algorithms, but at the time they were still under patent, and this led to SSH 2.0 with extended support for Triple DES (3DES) and other encryption methods. Today, SSH can be used with a wide range of encryption protocols, including RSA, 3DES, Blowfish, International Data Encryption Algorithm (IDEA), CAST128, AES256, and others.

The SSH protocol has facilities to encrypt data automatically, provide authentication, and compress data in transit.

It can support strong encryption, cryptographic host authentication, and integrity protection.

The authentication services are host-based and not user-based. If user authentication is desired in a system, it must be set up separately at a higher level in the OSI model.

The SSH protocol has facilities to encrypt data automatically, provide authentication, and compress data in transit. It can support strong encryption, cryptographic host authentication, and integrity protection. The authentication services are host-based and not user-based. If user authentication is desired in a system, it must be set up separately at a higher level in the OSI model. The protocol is designed to be flexible and simple, and it is designed specifically to minimize the number of round-trips between systems. The key exchange, public key, symmetric key, message authentication, and hash algorithms are all negotiated at connection time. Individual data-packet integrity is assured through the use of a message authentication code that is computed from a shared secret, the contents of the packet, and the packet sequence number.

The SSH protocol consists of three major components:

Transport layer protocol Provides server authentication, confidentiality, integrity, and compression

User authentication protocol Authenticates the client to the server

Connection protocol Provides multiplexing of the encrypted tunnel into several logical channels

SSH is very popular in the UNIX environment, and it is actively used as a method of establishing VPNs across public networks. Because all communications between the two machines are encrypted at the OSI application layer by the two SSH daemons, this leads to the ability to build very secure solutions and even solutions that defy the ability of outside services to monitor. As SSH is a standard protocol series with connection parameters established via TCP port 22, different vendors can build differing solutions that can still interoperate.

Exam Tip: SSH uses TCP port 22. SCP (secure copy) and SFTP (secure FTP) use SSH, so each also uses TCP port 22.

131

Authentication Protocols (15 of 20)

SAML

Security Assertion Markup Language (SAML) is a single sign-on capability used for web applications to ensure user identities can be shared and are protected.

Defines standards for exchanging authentication and authorization data between security domains.

Increasingly important with cloud-based solutions and with Software as a Service (SaaS) applications.

SAML is an XML-based protocol that uses security tokens and assertions to pass information about a “principal” (typically an end user) with a SAML authority (an “identity provider” or IdP) and the service provider (SP).

Principles of Computer Security, Fifth Edition

132

Authentication Protocols (16 of 20)

OAuth

OAuth (Open Authorization) is an open protocol that allows secure token-based authentication and authorization in a simple and standard method from web, mobile, and desktop applications, for authorization on the Internet.

OAuth 1.0 was developed by a Twitter engineer as part of the Twitter OpenID implementation.

OAuth 2.0 (not backward compatible) has taken off with support from most major web platforms.

Principles of Computer Security, Fifth Edition

133

Authentication Protocols (17 of 20)

OAuth (continued)

OAuth’s main strength is that it can be used by an external partner site to allow access to protected data without having to re-authenticate the user.

OAuth was created to remove the need for users to share their passwords with third-party applications, instead substituting a token.

OAuth 2.0 expanded this into also providing authentication services, so it can eliminate the need for OpenID.

Principles of Computer Security, Fifth Edition

134

Authentication Protocols (18 of 20)

OpenID Connect

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol.

OpenID Connect allows clients of all to request and receive information about authenticated sessions and end users.

OpenID is about proving who you are.

OpenID is commonly paired with OAuth 2.0 for authorization.

Principles of Computer Security, Fifth Edition

135

Authentication Protocols (19 of 20)

Shibboleth

Shibboleth is a service designed to enable single sign-on and federated identity-based authentication and authorization across networks.

Has yet to gain any widespread acceptance.

Shibboleth is a web-based technology that is built using SAML technologies.

It is included by many services that use SAML for identity management.

Principles of Computer Security, Fifth Edition

136

Authentication Protocols (20 of 20)

Secure token

A secure token service is responsible for issuing, validating, renewing, and cancelling these security tokens.

Secure tokens solve the problem of authentication across stateless platforms, because user identity must be established with each request.

Use a five-step process for using tokens where the steps are highly scalable and can be widely distributed and even shared.

Principles of Computer Security, Fifth Edition

137

FTP/FTPS/SFTP

File Transfer Protocol (FTP) is a plaintext protocol that operates by communicating over TCP between a client and a server.

FTPS is the use of FTP over an SSL/TLS secured channel.

Secure FTP (SFTP) runs FTP over SSH.

Later versions of SSH allow securing of channels such as the FTP control channel.

Leaves the data channel unencrypted – problem solved in version 3.0 of SSH

Principles of Computer Security, Fifth Edition

One of the methods of transferring files between machines is through the use of the File Transfer Protocol (FTP). FTP is a plaintext protocol that operates by communicating over TCP between a client and a server. The client initiates a transfer with an FTP request to the server’s TCP port 21. This is the control connection, and this connection remains open over the duration of the file transfer. The actual data transfer occurs on a negotiated data transfer port, typically a high-order port number. FTP was not designed to be a secure method of transferring files. If a secure method is desired, then using FTPS or SFTP is best.

FTPS is the use of FTP over an SSL/TLS secured channel. This can be done either in explicit mode, where an AUTH TLS command is issued, or in implicit mode, where the transfer occurs over TCP port 990 for the control channel and TCP port 989 for the data channel. SFTP is not FTP per se, but rather a completely separate Secure File Transfer Protocol as defined by an IETF Draft, the latest of which, version 6, expired in July 2007, but has been incorporated into products in the marketplace.

It is also possible to run FTP over SSH, as later versions of SSH allow securing of channels such as the FTP control channel; this has also been referred to as Secure FTP. This leaves the data channel unencrypted, a problem that has been solved in version 3.0 of SSH, which supports FTP commands. The challenge of encrypting the FTP data communications is that the mutual port agreement must be opened on the firewall, and for security reasons, high-order ports that are not explicitly defined are typically secured. Because of this challenge, Secure Copy (SCP) is often a more desirable alternative to SFTP when using SSH.

138

VPNs (1 of 2)

A virtual private network (VPN) is a secure virtual network built on top of a physical network.

Virtual private networking is not a protocol per se, but rather a method of using protocols to achieve a specific objective—secure communications.

Typical use of VPN services is a user accessing a corporate data network from a home PC across the Internet.

The sole purpose of the VPN connection is to provide a private connection between the machines.

Principles of Computer Security, Fifth Edition

The security of a VPN lies in the encryption of packet contents between the endpoints that define the VPN. The physical network upon which a VPN is built is typically a public network, such as the Internet. Because the packet contents between VPN endpoints are encrypted, to an outside observer on the public network, the communication is secure, and depending on how the VPN is set up, security can even extend to the two communicating parties’ machines.

A typical use of VPN services is a user accessing a corporate data network from a home PC across the Internet. The employee installs VPN software from work on a home PC. This software is already configured to communicate with the corporate network’s VPN endpoint; it knows the location, the protocols that will be used, and so on. When the home user wants to connect to the corporate network, she connects to the Internet and then starts the VPN software. The user can then log into the corporate network by using an appropriate authentication and authorization methodology.

The sole purpose of the VPN connection is to provide a private connection between the machines, which encrypts any data sent between the home user’s PC and the corporate network. Identification, authorization, and all other standard functions are accomplished with the standard mechanisms for the established system.

VPNs can use many different protocols to offer a secure method of communicating between endpoints. Common methods of encryption on VPNs include PPTP, IPsec, SSH, and L2TP, all of which are discussed in this chapter. The key is that both endpoints know the protocol and share a secret. All of this necessary information is established when the VPN is set up. At the time of use, the VPN only acts as a private tunnel between the two points and does not constitute a complete security solution.

139

VPNs (2 of 2)

Figure 11.28 VPN service over an Internet connection

Principles of Computer Security, Fifth Edition

Virtual private networking is not a protocol per se, but rather a method of using protocols to achieve a specific objective—secure communications—as shown in this figure. A user who wants to have a secure communication channel with a server across a public network can set up two intermediary devices, VPN endpoints, to accomplish this task. The user can communicate with his endpoint, and the server can communicate with its endpoint. The two endpoints then communicate across the public network. VPN endpoints can be software solutions, routers, or specific servers set up for specific functionality. This implies that VPN services are set up in advance and are not something negotiated on-the-fly.

140

Vulnerabilities of Remote Access Methods

The primary vulnerability associated with many of these methods of remote access is the passing of critical data in cleartext.

The strength of the encryption algorithm is also a concern.

There always exists the possibility that a bug could open the system to attack.

Principles of Computer Security, Fifth Edition

The primary vulnerability associated with many of these methods of remote access is the passing of critical data in cleartext. Plaintext passing of passwords provides no security if the password is sniffed, and sniffers are easy to use on a network. Even plaintext passing of user IDs gives away information that can be correlated and possibly used by an attacker. Plaintext credential passing is one of the fundamental flaws with Telnet and is why SSH was developed. This is also one of the flaws with RADIUS and TACACS+, as they have a segment unprotected. There are methods for overcoming these limitations, although they require discipline and understanding in setting up a system.

The strength of the encryption algorithm is also a concern. Should a specific algorithm or method prove to be vulnerable, services that rely solely on it are also vulnerable. To get around this dependency, many of the protocols allow numerous encryption methods, so that should one prove vulnerable, a shift to another restores security.

As with any software implementation, there always exists the possibility that a bug could open the system to attack. Bugs have been corrected in most software packages to close holes that made systems vulnerable, and remote access functionality is no exception. This is not a Microsoft-only phenomenon, as one might believe from the popular press. Critical flaws have been found in almost every product, from open system implementations such as OpenSSH to proprietary systems such as Cisco IOS. The important issue is not the presence of software bugs, for as software continues to become more complex, this is an unavoidable issue. The true key is vendor responsiveness to fixing the bugs once they are discovered, and the major players, such as Cisco and Microsoft, have been very responsive in this area.

141

File system security (1 of 2)

Prevents unauthorized access and unauthorized alterations.

File system security is the set of mechanisms and processes employed to ensure this critical function.

Use a connection of file storage mechanisms

Use access control lists and access control models

First, file system must be capable of supporting user-level access differentiation

NTFS does this but FAT32 does not.

Principles of Computer Security, Fifth Edition

142

File system security (2 of 2)

Second, need to have a functioning access control model, MAC, DAC, ABAC, or others.

Third, need a system to apply the users’ permissions to the files

Can be handled by the OS

Administering and maintaining this can be a challenge

Principles of Computer Security, Fifth Edition

143

Database security (1 of 2)

Major database engines have built-in encryption capabilities.

Can provide the desired levels of confidentiality and integrity to the contents of the database.

Advantage to encryption schemes

Can be tailored to the data structure, protecting the essential columns while not impacting columns that are not sensitive.

Principles of Computer Security, Fifth Edition

144

Database security (2 of 2)

Properly employing database encryption requires that the data schema and its security requirements be designed into the database implementation.

Advantages are better protection against any database compromise.

Performance hit is typically negligible with respect to other alternatives.

Principles of Computer Security, Fifth Edition

145

Connection Summary

Many protocols used for remote access and authentication and related purposes.

These methods have their own assigned ports.

Principles of Computer Security, Fifth Edition

146

Chapter Summary (1 of 2)

Identify the differences among user, group, and role management.

Implement password and domain password policies.

Describe methods of account management (SSO, time of day, logical token, account expiration).

Describe methods of access management (MAC, DAC, and RBAC).

Discuss the methods and protocols for remote access to networks.

Principles of Computer Security, Fifth Edition

147

Chapter Summary (2 of 2)

Identify authentication, authorization, and accounting (AAA) protocols.

Explain authentication methods and the security implications in their use.

Implement virtual private networks (VPNs) and their security aspects.

Principles of Computer Security, Fifth Edition

148