Network + 10.2

AAA refers to authentication, authorization, and accounting services.

Common password policies typically include a minimum length of password, password expiration, prevention of password reuse, and prevention of easy-to-guess passwords.

Authentication refers to the mechanisms used to verify the identity of the computer or user attempting to access a particular resource. Authentication is usually done with a set of credentials—most commonly a username and password.

Authorization determines if the person, previously identified and authenticated, is allowed access to a particular resource. This is commonly determined through group association. In other words, a particular group may have a specific level of security clearance. 

Accounting refers to the tracking mechanisms used to keep a record of events on a system. One tool often used for this purpose is auditing. Auditing is the process of monitoring occurrences and keeping a log of what has occurred ona system. A system administrator determines which events should be audited.

Identify which events to audit.

Minimum length of password

Password expiration

Prevention of password reuse

Prevention of easy-to-guess passwords

Kerberos was designed to fix such problems by using a method requiring only a single sign-on. This single sign-on enables a user to log into a system and access multiple systems or resources without the need to repeatedly re-enter the username and password. Additionally, Kerberos is designed to have entities authenticate themselves by demonstrating possession of secret information.

Kerberos is one part of a strategic security solution that provides secure authentication services to users, applications, and network devices by eliminating the insecurities caused by passwords stored or transmitted across the network.  Kerberos is used primarily to eliminate the possibility of a network “eavesdropper” tapping into data over the network—particularly usernames and passwords. Kerberos ensures data integrity and blocks tampering on the network. It employs message privacy (encryption) to ensure that messages are not visible to eavesdroppers on the network.

Secret-key cryptography

Symmetric key cryptography.

• Plain text that has been encrypted.
• hello mom -- symmetric key ---> 34*s;@440

Another cryptography method in use is asymmetric key cryptography, or public key cryptography. In this method, a device has both a public and private key. The private key is never shared. The public key is used to encrypt the communication, and the private key is used for decrypting.

a unique key (called a ticket) to each client that successfully authenticates to a server.  The ticket is encrypted and contains the user’s password, which is used to verify the user’s identity when a particular network service is requested.  Each ticket is time-stamped. It expires after a period of time, and a new one is issued. Kerberos works in thesame way that you go to a movie.

A Public Key Infrastructure (PKI) is a collection of software, standards, and policies combined to enable users from the Internet or other unsecured publicnetworks to securely exchange data. PKI uses a public and private cryptographic key pair obtained and shared through a trusted authority. Services and components work together to develop the PKI.

Tickets.

Certificates: A form of electronic credentials that validates users, computers,or devices on the network. A certificate is a digitally signed statementthat associates the credentials of a public key to the identity of theperson, device, or service that holds the corresponding private key.

Certificate authorities (CAs): CAs issue and manage certificates. They validate the identity of a network device or user requesting data. CAscan be either independent third parties, known as a public CA, or theycan be organizations running their own certificate-issuing server software, known as private CAs.

Certificate templates: Templates used to customize certificates issuedby a Certificate Server. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.

Certificate Revocation List (CRL): A list of certificates that were revoked before they reached the certificate expiration date. Certificates are often revoked due to security concerns such as a compromised certificate.

. Public key: A nonsecret key that forms half of a cryptographic key pairused with a public key algorithm. The public key is freely given to all potential receivers.

. Private key: The secret half of a cryptographic key pair used with a public key algorithm. The private part of the public key cryptography system is never transmitted over a network.

Public (asymmetric) key encryption uses both a private and public key to encrypt and decrypt messages. The public key is used to encrypt a message or verify a signature, and the private key is used to decrypt the messageor to sign a document.

Private (symmetric) key encryption uses a single key for both encryption and decryption. If a person possesses the key, he or she can both encrypt and decrypt messages. Unlike public keys, this single secret key cannot be shared with anyone except people who should be permitted to decrypt as well as encrypt messages.

Web security: PKI increases web security by offering server authentication, which enables client systems to validate that the server they communicate with is indeed the intended sever. Without this information, it is possible for people to place themselves between the client and the server and intercept client data by pretending to be the server. PKI also offers client authentication, which validates the client’s identity.

Digital signatures: Digital signatures are the electronic equivalent of a sealed envelope and are intended to ensure that a file has not been altered in transit. Any file with a digital signature is used to verify not only the publishers of the content or file, but also to verify the content integrity at the time of download. On the network, PKI enables you to issue certificates to internal developers/contractors and enables any employee to verify the origin and integrity of downloaded applications.

Secure email: Some of the information sent via email is not sensitive and does not need security, but for communications that contain sensitive data, a method is needed to secure email content. PKI can be deployed as a method for securing email transactions. In application, a private key is used to digitally sign outgoing emails, and the sender’s certificate is sent with the email so that the recipient of the email can verify the sender’s signature.

Certificates are the cornerstones of the PKI. A certificate is essentially a form of electronic credential that validates users, computers, or devices on the network. A certificate is a digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key.

RADIUS is a protocol that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services.  RADIUS functions as a client/server system. The remote user dials in to the remote-access server, which acts as a RADIUS client, or network access server(NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote-access server running RADIUS client software); the connection is either established or rejected based on the information received.

Terminal Access Controller Access Control System+ (TACACS+) is a security protocol designed to provide centralized validation of users who are attempting to gain access to a router or Network Access Server (NAS). Like RADIUS, TACACS+ is a set of security protocols designed to provide authentication, authorization, and accounting (AAA) of remote users. TACACS uses TCP port 49 by default.

. TACACS+ relies on TCP for connection-oriented delivery.  RADIUS uses connectionless UDP for data delivery.

. RADIUS combines authentication and authorization, where as TACACS+ can separate their functions.

Microsoft Challenge Handshake Authentication Protocol (MSCHAP)

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2):

Extensible Authentication Protocol (EAP):

Challenge Handshake Authentication Protocol (CHAP):

Password Authentication Protocol (PAP):

Unauthenticated access:

Authenticates remote Windows workstations, providing the functionality to which LAN-based users are accustomed while integrating the hashing algorithms used on Windows networks. MS-CHAP works with PPP, PPTP, and L2TP network connections. MS-CHAP uses a challenge/response mechanism to keep the password from being sent during the authentication process. MS-CHAP uses the Message Digest 5 (MD5) hashing algorithm and the Data Encryption Standard (DES) encryption algorithm to generate the challenge and response.

Brings with it enhancements over its predecessor, MSCHAP. These enhancements include support for two-way authentication and a few changes in how the cryptographic key is analyzed. As far as authentication methods are concerned, MS-CHAP version 2 is the most secure. MS-CHAP works with PPP, PPTP, and L2TP network connections.

An extension of PPP that supports authentication methods that go beyond the simple submission of a username and password. EAP was developed in response to an increasing demand for authentication methods that use other types of security devices such as token cards, smart cards, and digital certificates.

CHAP performs a one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network. A widely supported authentication method that works much the same way as MSCHAP. A key difference between the two is that CHAP supports non-Microsoft remote-access clients. CHAP enables for authentication without actually having the user send his password over the network. Because it’s an industry standard, it enables Windows Server 2008/2003and Windows 7/Vista to behave as a remote client to almost any third party PPP server.

Use PAP only if necessary.PAP is a simple authentication protocol in which the username and password are sent to the remote-access server in clear text, making it possible for anyone listening to network traffic to steal both. PAP typically isused only when connecting to older UNIX-based remote-access servers that do not support any additional authentication protocols.

. Moderately expensive: Some systems, particularly those with management capabilities, are quite expensive.

. Enhanced controls and logging: Each time people enter the serverroom, they must key in a number or use a swipe card. This process enables systems to log who enters and when.

. Some additional knowledge required: Swipe card systems need special software and hardware that can configure the cards. Someone has to learn how to do this.

. Very effective: Because each person entering the room must supply proof-of-person evidence, verification of the person entering the serverarea is as close to 100% reliable as you can get.

. Nothing to lose: Because there are no cards or keys, nothing can belost.

. Expensive: Biometric security systems and their attendant scanners and software are still relatively expensive and can be afforded only by organizations that have a larger budget; although, prices are sure to drop as more people turn to this method of access control.

When two or more access methods are included as part of the authentication process, you’re implementing a multifactor system. A system that uses any two items—such as smart cards and passwords—is referred to as a two-factor authentication system. A multifactor system can consist of a two-factor system, three-factor system, and so on. As long as there is more than one factor involved in the authentication process, it is considered a multifactor system.

B. HTTPS uses SSL to create secure connections over the Internet. Answer A is incorrect because SSH provides a secure multiplatform replacement for Telnet. Answer C is invalid because it is a service and not a protocol. Answer D is incorrect because IPSec is designed to encrypt data during communication between two computers.

A. IPSec is not an authentication protocol. All the other protocols listed are authentication protocols.

C. Strong passwords include a combination of letters and numbers and upper and lowercase letters. Answer C is by far the strongest password. Answer A is not a strong password because it is a standard word, contains no numbers, and is all lowercase. Answer B mixes letters and numbers, and it is not a recognized word, so it is a strong password, but it is not as strong as answer C. Answer D is too easy to guess and contains no numbers.

A. By installing a RADIUS server, you can move the workload associated with authentication to a dedicated server. A proxy server would not improve the dialup connection’s performance. There is no such thing as a Kerberos server or an IPSec server.

A and B. Secure Shell (SSH) technology is used by both Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). Answers C and D are incorrect because Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) do not use SSH technology for additional security.