Security technology typically falls into one of three categories.
Identity:
Links user authentication and authorization on the network infrastructure; verifies the identity of those requesting access and prescribe what users are allowed to do.
Integrity:
Provides data confidentiality through firewalls, management control, routing, privacy and encryption, and access control.
Active Audit:
Provides data on network activities and assist network administrators to account for network usage, discover unauthorized activities, and scan the network for security vulnerabilities.
Identity
Let’s start by looking at some Identity technologies. Again, identity is the recognition of each individual user, and mapping of their identity, location and the time to policy; authorization of their network services and what they can do on the network.
Why is identity important? With IP addresses no longer being static (because of exhaustion of address space) and with solutions such as NAT and DHCP, etc., people are no longer tied to addresses. Ideally, we should be able to gain appropriate access based on who we are.
Identity can be determined by a number of technologies — user name and password, token card, digital certificate—each can be configured for a policy setting that indicates the degree of trust.
Administrators can also configure access by time of day—identity authorizations can also include a time metric for future time-based access capability.
The key to centralized identity and security policy management is the “combination” of all key authentication mechanisms, from SecurID and DES Dial cards to MS Login, and their internetworking with one common identity repository.
To truly be centralized and configured once only, the identity mechanism must also be media independent; equally applicable to dial-users and campus users for example.
Let’s look at some of these technologies.
Username/Password
For basic security, user id’s and passwords can be used to authenticate remote users.
First, a remote user dials into the network access server. The NAS, or network access server, negotiates data link setup with the user using (most likely) PPP. As part of this negotiation, the user must send a password to the NAS. This is usually handled by either the PAP or CHAP protocols, which we’ll cover in more detail in a little bit.
Next, the NAS forwards the user’s password to a AAA server to verify that it is legitimate. The protocol used between the NAS and AAA server is (most likely) either TACACS+ or RADIUS. I’ll be covering these protocols in more detail in a minute.
When the AAA server gets the user id and password, it checks its database of legitimate users and looks for a match. If a match is found, the AAA server sends the NAS a call accept message. If not, the AAA server sends the NAS a call reject message.
If the call is accepted, the user is connected to the campus network.
PAP and CHAP Authentication
Now let’s back up for a minute and explain a little more about the process of dial in connections.
Many of you have probably heard of PPP (Point-to-Point Protocol) before. PPP is used primarily on dial-in connections since it provides a standard mechanism for passing authentication information such as a password from a remote user to the NAS.
Two protocols are supported to carry the authentication information: PAP (Password Authentication Protocol) and CHAP (Challenge/Handshake Authentication Protocol). These protocols are well documented in IETF RFCs and widely implemented in vendor products.
PAP provides a simple password protocol. User ID and password are sent at the beginning of the call, then validated by the access server using a central PAP database. The PAP password database is encrypted, but the password is sent in clear text through the public network. A AAA server may be used to hold the password database.
The problem with PAP is that it is subject to sniffing and replay attacks. Hacker could intercept communication and use information to spoof a legitimate user.
CHAP provides an improved authentication protocol. The Access Server periodically challenges remote access devices such as a router to provide a proper password. The initial CHAP authentication is performed during login; network administration can specify the rate of subsequent authentication. These repeated challenges limit the time of exposure of any single attack. Password is sent encrypted. Both sides can use the challenge/response mechanism supported by CHAP to authenticate the device at the other end.