Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 11_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls < / > Exam 212-82 O The AAA server is used to establish secure access in a remote-access VPN environment BAR server performs the following types of checks © O Authorization Accounting = Who areyou? = What are you allowed to do? = What do you actually do? Authentication & Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited AAA Server Authentication, authorization, and accounting (AAA) provides additional secure access in a remote-access environment. An AAA server provides users an extra layer of protection and control when compared to an access-control list (ACL) alone. An ACL enables outside users to access Telnet in the DMZ network. AAA grants permits to only a few users for accessing the application after proper authorization and authentication have occurred. This can be implemented using the following: * Who you are (authentication) is established by verifying user credentials such as the username and password. * What you are allowed to do (authorization) is verified to offer access controls such as management commands, network access, and VPN access. * What do you actually do (accounting) refers to the type of traffic the users access through the VPN. This option tracks traffic that passes through the VPN and records all user activity. The following are the authentication protocols used for an AAA server: = RADIUS = TACACS+ = RSA SecurlD = Windows NT = Kerberos = LDAP Module 07 Page 960 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Remote Exam 212-82 Access Dial-In User Service Remote Access Dial-In User Service (RADIUS) is When a user attempts to connect the VPN server 0 the simplest way to use centralized authentication in VPNs o o RADIUS is a software application that runson a o e server and has access to all users in the domain In 3 VPN environment, RADIUS manages both the user authentication and authorization. This reduces the total cost of ownership by managing o the credentials from a central location Remote contacts the RADIUS server who then authenticates the user through a Windows domain using both a username and a password (typically a Windows domain controller) If the username and password are correct and they have “dial-in” access granted they will be allowed to access the VPN The VPN equipment must securely communicate with the RADIUS server and verify the user meets certain set conditions, before granting permission to access the network Access Dial-In User Service Corporate Network DualSheild Authentication Server Remote Access Dial-In User Service Remote Authentication Dial-In User Service (RADIUS) is the simplest method to use centralized authentication in VPNs. RADIUS is a client/server protocol that authenticates and authorizes dial-in-users to access the system or device. It is a software application that runs on a server and has access to all users in the domain. RADIUS maintains profiles in their databases that enable the remote servers to share the data as well as a centralized administration of data. Module 07 Page 961 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Companies using a VPN network implement RADIUS for data authentication. This reduces the total cost of ownership because the credentials are managed from a central location. In RADIUS, connection. the VPN server interacts with the RADIUS server once the user attempts The RADIUS server authenticates the user with their credentials. The user a is granted access if and only if the user provides the correct credentials and has dial-in access. The RADIUS server sends a RADIUS message to the RADIUS client in response to the request for authentication. The VPN equipment must securely communicate with the RADIUS server and verify whether the user meets certain set conditions before granting permission to access the network. The RADIUS messages are sent as User Datagram Protocol (UDP) messages, and the UDP payload of a RADIUS packet can include only one RADIUS message. The following are different types of RADIUS message. = Access-request: Sent by the RADIUS client to request authentication = Access-accept: Sent by the RADIUS server in response to the access-request message = Access-reject: Sent by access-server connection request is rejected = Access-challenge: Sent by the RADIUS server to the RADIUS client in response to the access-request from the client = Accounting-request: Sent by the RADIUS client to request information for a permitted connection = Accounting-response: Sent by the RADIUS server in response to the accounting-request to the RADIUS client, informing them that the message from the RADIUS client :1 VPN Gateway. : DualSheild Radius Server VPN Client Corporate Network DualSheild Authentication Server [§g [l =