Week3-Week4 (3).pptx

Full Transcript

Network Authentication and Access
Control
Tor & VPN
• Chapter5: Guide to Network Security, International
Edition/1st Edition Cengage Learning Michael E.
Whitman; Herbert J. Mattord; David Mackey;
Andrew Green, ISBN9781133279075
• Chapter 19: Computer & Internet Security: A
Hands-on Approach, Wenliang D, 2019

1

Objectives
• Define access control and identify the various ways
it can be implemented
• Explain why authentication is a critical aspect of
network access control
• Identify the component parts of virtual private
networks (VPNs)
• List and define the essential activities that an VPN
must be able to perform
• Explain the various VPN architectures in common
use
2

Introduction
• Network security strategies authenticate machines:
– Rather than individuals

• Main types of authentication performed by network
security devices
– Client
– User
– Session

• Stronger level of authentication
– Network Access Control (NAC)
– VPN access controllers
3

Access Control
• Granting or denying approval to use specific resources
• Regulates admission into trusted areas of the
organization
– Logical access to information systems
– Physical access to facilities

• Made up of policies, programs, and technologies
–
–
–
–

Identification
Authentication
Authorization
Accountability/Accounting/Auditing
4

Access Control Terminology
• Identification
– Presenting credentials
– Example: delivery driver presenting employee badge

• Authentication
– Checking the credentials
– Example: examining the delivery driver’s badge

• Authorization
– Granting permission to take action
– Example: allowing delivery driver to pick up package

5

Identification
• Process by which a computer system recognizes a
user’s identity
– Accounts are stored locally or centralized
– Operating systems have a default user account
– Root (UNIX) or administrator (Windows)
– Should be renamed to make more difficult to access

• Periodic reviews
– Performed by network administrators
– Ensure employee still works at the company
– Determine if employee still requires an account
6

Authentication
• Act of confirming the identity or user account
• User proposes and verifies an identity with some
combination of:
– Something you know
• Password or passphrase

– Something you have
• Smart card or key

– Something you are
• Fingerprint, iris scan, or voiceprint

• Single Factor, Two Factor, Biometrics…
7

Password Weaknesses
• Weakness of passwords is linked to human memory
– Humans can only memorize a limited number of items
– Long, complex passwords are most effective
• But most difficult to memorize

– Must remember passwords for many different accounts
– Security policies mandate passwords must expire
• Users must repeatedly memorize passwords

• Users often take shortcuts
– Weak passwords (common words, short, or personal)
– Reuse the same password for multiple accounts
• Attacker who compromises an account may access others
8

Password Policies
– At least eight characters
•
•
•
•
•
•

–
–
–
–

Contain at least one uppercase character
Contain at least one lowercase character
Contain at least one number and symbol
Contain no part of the user’s name
Contain no words commonly found in a dictionary
Contain no repeating characters

Be combined with a salt when calculating hashes
Must change passwords at least every 90 days
Remember 10 or more previously used passwords
Lock accounts after three to five invalid login
attempts
9

Password Policies (cont’d.)
• One-time password software
– Password generated for one-time use during a single
session
– Challenge-response passwords
– Password list passwords
– Token generators

10

Implementing Authentication
• Most operating systems equipped with
authentication schemes
• Firewalls and VPN access controllers can perform
user authentication
• General process to authenticate users
–
–
–
–
–

Client requests access to a resource
Firewall prompts for username and password
User submits information and is authenticated
Request is checked against firewall’s rule base
Request is granted or denied
11

Implementing Authentication (cont’d.)
• User authentication
– Authorized users added to access control lists

• Client authentication
– Similar to user authentication
– Includes usage limits
– Specific period of time or number of times (1 hour)

• Session authentication
– Requires authentication whenever client system
attempts connection

12

Implementing Authentication (cont’d.)
• Network access control (NAC)
– Before a device may communicate on the network
• Must meet specific thresholds

– Device has authorized user credentials needed to
access network
– Device must have appropriate security tools and upto-date software versions
– Device has correct system configuration
– Device complies with security standards

13

Figure Network access control framework
14

Implementing Authentication (cont’d.)
• Centralized authentication
– Central server maintains all user authorizations
• Also called authentication, authorization, and auditing
(AAA) server

– Can use several different authentication methods
•
•
•
•

RADIUS
TACACS+
Kerberos
LDAP

15

RADIUS
• Remote Authentication Dial In User Service
– Developed in 1992
– Became industry standard
– Suitable for high volume service control applications
• Such as dial-in access to corporate network

– Still in use today

• RADIUS client
– Typically a device such as a wireless AP
• Responsible for sending user credentials and
connection parameters to the RADIUS server
16

RADIUS (cont’d.)
• RADIUS user profiles stored in central database
– All remote servers can share

• Advantages of a central service
– Increases security due to a single administered
network point
– Easier to track usage for billing and keeping network
statistics

17

Figure 9-7 RADIUS authentication
© Cengage Learning 2012

18

Terminal Access Control Access
Control System (TACACS)
•
•
•
•

Authentication service similar to RADIUS
Developed by Cisco Systems
Commonly used on UNIX devices
Communicates by forwarding user authentication
information to a centralized server
• TACACS+ new redesigned TACACS with no
backward compatibility

19

Table 5-3 Characteristics of TACACS+ and RADIUS
© Cengage Learning 2013

20

Kerberos
• Authentication system developed at MIT
– Uses encryption and authentication for security

• Most often used in educational and government
settings
• Works like using a driver’s license to cash a check
• Kerberos ticket
–
–
–
–

Contains information linking it to the user
User presents ticket to network for a service
Difficult to copy
Expires after a few hours or a day
21

Figure 5-4 Kerberos authentication
© Cengage Learning 2013

22

Lightweight Directory Access Protocol
(LDAP)
• Originated at University of Michigan
• Database stored on a network
• Builds a tree directory containing information about
users and network devices
• Keeps track of network resources and user’s
privileges to those resources
• Grants or denies access based on its information

23

Access Control (Authorization)
• Four major access control models
–
–
–
–

Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule Based Access Control (RBAC

25

Mandatory Access Control (MAC)
• Most restrictive access control model
– Controls enforced by computer system without
intervention from the data owner
– Typically found in military settings
– Two elements
• Labels indicate level of privilege required
• Levels

• MAC grants permissions (if file may be opened):
– Compare object and subject labels
– Subject must have equal or greater level than object
to be granted access
26

Mandatory Access Control (MAC)
• U.S. Military classification scheme
– Unclassified
– Sensitive but unclassified (might affect national
security such as: for official/internal use only)
– Confidential (damage, Training, performance
– Secret (Serious damage: Foreign relations, Military
plans)
– Top Secret (grave damage, Defense plans, crypto)

27

Discretionary Access Control (DAC)
• DAC Implemented at the discretion of the data owner
–
–
–
–

Least restrictive model
Every object has an owner who have total control
Owners give permissions to other subjects
Used on operating systems such as most types of
UNIX and Microsoft Windows

• DAC weaknesses is that it relies on decisions by user
to set proper security level
• Incorrect permissions may be granted

– Subject’s permissions will be “inherited” by any
programs the subject executes
28

Figure 5-1 Sample access control matrix
© Cengage Learning 2013

29

Figure 9-3 Discretionary Access Control (DAC)
© Cengage Learning 2012

30

Role Based Access Control (RBAC)
• Also called nondiscretionary Access Control
– Determined by a central authority
– Access permissions are based on user’s job function
– Can be either role-based or task-based

• RBAC assigns permissions to particular roles in an
organization
– Users are assigned to those roles

31

Rule Based Access Control
• Rule Based Access Control (RBAC)
– Dynamically assigns roles to subjects based on a set
of rules defined by a custodian
– Each resource object contains access properties
based on the rules
– When user attempts access, system checks object’s
rules to determine access permission

32

Other Forms of Access Control
• Other forms of access control
– Content-dependent (accounting, marketing)
– Constrained user interfaces (ATM restrictions)
– Temporal (time-based) isolation

33

Best Practices for Access Control
• Establishing best practices for limiting access can
help secure systems and data
• Examples of best practices
–
–
–
–
–

Implicit deny
Least privilege
Separation of duties
Job rotation
Mandatory vacations

34

Best Practices for Access Control
• Least privilege
– Members allowed minimal amount of information
necessary to perform required duties

• Need to know
– Limits user’s access to specific information required
for a task

• Separation of duties
– Tasks are divided between two or more individuals

35

VPN

36

Introduction
• Networks primarily intended for internal use are called
private network.
• If we grant access from outside to the private network,
the attack surface will significantly broaden.
• If the internal resources still use IP address as the
basis for authorization, it is not difficult for attackers to
access the protected resources

Virtual Private Network
VPN allows users to create a secure, private network over a
public network such as the Internet. This is achieved by:
• Having a designated host (VPN server) on the network
• Outside computers have to go through the VPN server to reach the
hosts inside a private network via authentication.
• VPN server is exposed to the outside and the internal computers are
still protected, via firewalls or reserved IP addresses.

A Typical Setup
This is a typical VPN setup where the “Client” machine wants to
connect with machine “V” on a private network. “Client” uses the
“VPN Server” to get authenticated to the private network

IP Tunneling

Virtual Private Network

Virtual Private Networks
• Connects remote workers
• Older technology
– Dial-up connectivity
– Remote Authentication Service

• Virtual private networks (VPNs)
– Provide secure point-to-point communication over
the public Internet
– Data is encapsulated and encrypted

41

Extranets and Intranets
• Extranet
– Extension of
organization’s
network using
the Internet

• Intranet
– Logical network
restricted to
employees within
the organization

42

VPN Components and Operations
• Many Telecom companies provide VPN services
• VPN tunnel
– Virtual communications path over TCP/IP network
– No dedicated line but relies on internet server to
forward traffic

• VPN components
– Software that performs security-related activities
– Hardware devices: endpoints or terminators
• Hardware devices at each end
• Perform encryption, authentication, and encapsulation
43

Figure 5-6 Simplified model VPN
© Cengage Learning 2013

Figure 5-7 Model VPN
© Cengage Learning 2013
44

Types of VPNs
• Site-to-site VPN
– Links two or more networks

• Client-to-site VPN
– Makes network accessible to remote users who need
dial-in access

• Two types not mutually exclusive

45

VPN Appliances
• Hardware device designed to terminate VPNs
– Permits connections among large number of users
– Does not provide file sharing and printing
– 10-50 conn. commercial or up to 500 high 1.5 Gpbs

• Software VPN
– Less expensive than hardware systems
– More scalable on fast-growing networks

• VPN combinations of hardware and software
– Implement a VPN appliance at the central network
– Use client software at remote end of each
connection
46

Figure 5-10 Hardware VPN
© Cengage Learning 2013
47

VPN Architectures
• Mesh configuration
– Each participant in the VPN has an approved
relationship with every other participant
• Relationship called security association (SA)

• Hub-and-spoke configuration
– Single VPN router contains records of all SAs in the
VPN
– All communication flows through central router
• Router must have double the bandwidth of other
connections

• Hybrid configuration
48

Figure 5-11 Mesh VPN
Figure 5-12 Hub-and-spoke VPN
49

Essential Activities of VPNs
• IP encapsulation
– Enclosing a packet within another packet
• Hides actual IPs (private IP ranges)
• Uses VPN gateway IP source and destination

• Data payload encryption
– Transport method encrypts traffic when generated
• Data is encrypted, not header

– Tunnel method encrypts data in transit
• Both header and data portions encrypted
• Encapsulated into another IP packet with VPN
gateways’ addresses
50

Figure 5-9 VPN IP encapsulation with transport
encryption and tunnel encryption methods
© Cengage Learning 2013
51

IP Tunneling

Tunnel End A

The actual packet
between the two
ends of the tunnel

Traffics
inside the
tunnel are
protected

Tunnel End B
The tunnel goes
through a public
network, such as
the Internet.

The payload carries another IP
packet, which is the packet that
needs to be protected, such as
packets to/from a private
network

Tunneling Protocols Used with VPNs
• Proprietary protocols used in the past
• IPSec/IKE
– Standard for secure encrypted communication
– Uses two security methods
• Authenticated Headers (AH) 51 Authenticate packets
• Encapsulating Security Payload (ESP) 50Encrypt payload

– Works in both transport and tunnel modes

• Point-to-point tunneling protocol (PPTP)
– Used for connection using dial-in modem (uses MPPE)

53

Tunneling Protocols Used with VPNs
(cont’d.)
• Layer2 tunneling protocol (L2TP)
– Extension of PPP using IPSec
– Provides secure authenticated remote access
– Separates process of initiating connection from
process of forwarding data

• UNIX-based methods for creating VPNs
– Point-to-point protocol over Secure Sockets Layer
– Point-to-point protocol over Secure Shell

54

• VPN Over IPSec works at layer 3
• Remote clients to behave as if they were locally attached to the
network, (good for site-to-site VPNs)
• VPNs also tend to require specific software supplied by the vendor
• VPN over SSL works at layer 5/6
• More granular control over access permissions to specific services
• Easier to configure an maintain
• Supported by modern devices, deployed without the need for specialist
client-side software
• lightweight browser-based clients
55

Most common Tunneling approaches today
• IPSec Tunneling:
– Utilizes the Internet Protocol Security protocol
– IPSec has a mode called Tunneling mode, where the original IP packet
is encapsulated and placed into a new IP packet

• TLS/SSL Tunneling:
– Tunneling done outside the kernel, at the application level
– Idea is to put each VPN-bound IP packet inside a TCP or UDP packet
– The other end of the tunnel will extract the IP packet from the
TCP/UDP payload
– To secure the packets, both ends will use TLS/SSL protocol on top of
TCP/UDP

IPSEC VS TLS/SSL

IPSec Tunneling

TLS/SSL
Tunneling
(we will focus
on this type)

An Overview of How TLS/SSL VPN
Works

Question: How can the
Tunnel application get an IP
packet?

This is just a normal TCP or
UDP based SSL connection

TUN/TAP Interface

Socket
Interface

• Question: How can the
Tunnel application get an
IP packet?
– Typically, applications
interact with kernel using
socket
– Using socket, kernel only
gives the data part of a
packet to applications
– Applications need to use
a different way to interact
with kernel

TUN/TAP Interface
• Most operating systems have two types of network interfaces:
– Physical: Corresponds to the physical Network Interface Card (NIC)
– Virtual: It is a virtualized representation of computer network interfaces that may or
may not correspond directly to the NIC card. Example: loopback device

• TUN Virtual Interface
– Work at OSI layer 3 or IP level
– Sending any packet to TUN will result in the packet being delivered to user space
program

• TAP Virtual Interfaces
– Work at OSI layer 2 or Ethernet level
– Used for providing virtual network adapters for multiple guest machines connecting to
a physical device of the host machine

Configure the TUN Interface
• Create a TUN interface
sudo ip tuntap add mode tun dev tun0
• Find the TUN interface

• Assign an IP address to the TUN interface and bring it up

Set UP the Routing

Packets to this destination should be
routed to the tun0 interface, i.e., they
should go through the tunnel.

All other traffic will be routed
to this interface, i.e., they will
not go through the tunnel

Other usages for VPN
• Use VPN when the underlying infrastructure is not trusted to be
secure (coffee shop, hotel, etc..).
– This will become unnecessary with HTTPs every where

•
•

Most of users tend to use commercial VPN solutions to get
around censorship. But..
Anlsysis of 16 VPN providers show*:
–
–
–

They make unrealistic protection promises
They collect personal data about users that could be used for
marketing
Their eco-system are not necessarily well protected.

• Anonymity
– VPN might not be the perfect choice
* https://digital-lab-wp.consumerreports.org/wp-content/uploads/2021/12/VPN-WhitePaper.pdf

63

TOR

64

VPN for anonymity
• Use the same VPN provider for every
communication.
– What if the VPN provider reveals or sell your data?

• Tor is better for Anonymity because it gives you
random relays to serve your requests for your
communications.

65

TOR for Anonymity

66

Problem to solve by Tor

c

B

A

A doesn’t want C to know that he talks with B
TLS (HTTPs) hides ONLY the content but not the address
67

c

D

E

B

A
F
3 random
addresses

D
E
F

D

F

B

E

F

D

E

A

D

E

B

A

3 random
addresses

D
E
F

F

D
A

CID:9
A<->D<->E<->F

A

D
CID:9

F

B

CID:9

E

F

D

E

E
CID:9

D

F

E
CID:9

E
A

F

D
F

Exercise: make the return path

B

B