Chapter 10

Authenticating Users

The Authentication Process in General

1.  Authentication is the act of identifying users and providing network services to them based on their identity. Most types of authentication require the user to supply to the authenticating firewall or server one of the following:

Ø  A piece of information, such as a password

Ø  Proof of physical possession of something, such as a smart card

Ø  A piece of information that is part of your physical identity, such as a fingerprint, voiceprint, or retinal scan

2.  In the field of network computing, authentication takes one of three specific forms.

Forms of Authentication

Ø  Basic authentication: A server maintains a local file of usernames and passwords that it refers to for matching the username-password pair being supplied by a client.

Ø  Challenge-response authentication: The authenticating computer or firewall generates a random code or number (the challenge) and sends it to the user who wishes to be authenticated.

Ø  Centralized authentication service: A centralized server handles three separate and essential authentication practices: authentication, authorization, and auditing.

How Firewalls Implement the Authentication Process

1.  The exact steps that firewalls follow to perform authentication may vary from one firewall configuration to another, but the general process is the same.

Authentication Steps

1)  The client makes a request to access a resource.

2)  The firewall intercepts the request and prompts the user for name and password.

3)  In return, the user submits the information to the firewall.

4)  The user is authenticated.

5)  The request is checked against the firewall’s rule base.

6)  If the request matches an existing allow rule, the user is granted access.

7)  The user accesses the desired resources.

Firewall Authentication Methods

1.  Some firewalls, such as Check Point FireWall-1, provide for a variety of different authentication methods, including user, client, or session authentication.

User Authentication

1.  User authentication is the simplest type of authentication and the one with which you are most likely to be familiar. Upon receiving a request, a program prompts the user for a username and password. When the information is submitted, the software checks the information against a list of usernames and passwords in its database. If a match is made, the user is authenticated.

2.  User authentication is useful for the many different individuals who might need to legitimately gain access to your internal servers, including:

Ø  Employees who work remotely or who are traveling

Ø  Contractors who work on-site

Ø  Freelancers who work off-site

Ø  Visitors who want to do some work or take a look at your system from your offices

Ø  Employees in branch offices

Ø  Interns who work for you

Ø  Employees of partner companies

Ø  Members of the public

Client Authentication

1.  In configuring client authentication, you need to set up one of two types of authentication systems:

·  A standard sign-on system, in which the client, after being successfully authenticated, is allowed to access whatever resources the user needs or perform any desired functions, such as transferring files or viewing Web pages

·  A specific sign-on system, in which the client is required to authenticate each time the user wants to access a server or use a service on the network being protected

Session Authentication

1.  Session authentication calls for authentication to be made whenever a client wishes to connect to a network resource and establish a session (a period when communications are exchanged). The following table lists the different authentication methods and provides the reasons why they are used:

Method / Used Under These Conditions
User Authentication / • You want to scan the content of IP packets.
• The protocol in use is HTTP, HTTPS, FTP, rlogin, or Telnet.
• You need to authenticate for each session separately.
Client Authentication / • The individual user to be authenticated will come from a specific IP address.
• The protocol in use is not HTTP, HTTPS, FTP, rlogin, or Telnet.
• You want a user to be authenticated for a specific length of time.
Session Authentication / • The individual user to be authenticated will come from a specific IP address.
• The protocol in use is not HTTP, HTTPS, FTP, rlogin, or Telnet.
• You want a client to be authenticated for each session.

Centralized Authentication

1.  In a centralized authentication setup, a server, which is sometimes referred to as an Access Control Server (ACS), alleviates the need to provide each server on the network with a separate database of usernames and passwords, each of which would have to be updated individually if someone changed a password or a new user was added.


Kerberos

1.  Kerberos was developed at the Massachusetts Institute of Technology (MIT) in the university’s Athena Project and is designed to provide authentication and encryption through standard clients and servers. Instead of a server having to trust a client over an untrusted network, both client and server place their trust in the Kerberos server.

2.  The Kerberos system of granting access to a client that requests a service is quite involved (and thus quite secure). The steps are as follows:

Kerberos System

1)  Client requests a file or other service.

2)  Client is prompted for a username and password.

3)  Client submits a username and password.

4)  AS grants the TGT.

5)  Client presents the TGT to a Ticket-Granting Server (TGS)

6)  The TGS grants a session ticket. The TGS forwards the session ticket to the server holding the requested file or service.

7)  Client gains access.

TACACS+

1.  Terminal Access Controller Access Control System (TACACS+) is the latest and strongest version of a set of authentication protocols developed by Cisco Systems. TACACS+ and its predecessor protocols all provide authentication for dial-in users and are used primarily on UNIX-based networks. TACACS+ uses the MD5 algorithm (a formula that produces a 128-bit code called a message digest) to encrypt data. It provides centralized authentication services so that a network access server such as a router or firewall doesn’t have to handle dial-in user authentication.

Remote Authentication Dial-In User Service (RADIUS)

1.  Remote Authentication Dial-In User Service (RADIUS) is the other common protocol used to provide dial-in authentication. Note that RADIUS still transmits authentication packets unencrypted across the network, which means they are vulnerable to attacks from packet sniffers.

6

TACACS+ and RADIUS Compared

1.  The following table describes the characteristics of TACACS+ versus RADIUS.

TACACS+ / RADIUS
Uses TCP / Uses UDP
Full packet encryption between client and server / Encrypts only passwords; other information is encrypted
Independent authentication, authorization, and accounting / Combines authentication and authorization
Passwords in the database may be encrypted / Passwords in the database are in clear text

Proxy Characteristics

1.  One important thing to note is that RADIUS does not work with generic proxy systems. However, a RADIUS server can function as a proxy server, speaking to other RADIUS servers or other services that do authorization, such as Windows domain authentication.

NAT Characteristics

1.  RADIUS does not work with NAT. Addresses that are intended to go through NAT need to be static, not dynamic.

2.  TACACS+ should work through NAT systems, but, because TACACS+ supports encryption using a secret key shared between server and client, there is no way for the server to know which key to use if differing clients make use of different keys.

Password Security Issues

1.  Many authentication systems depend in part or entirely on passwords. The simplest forms of authentication require typing a user name and a reusable password. This method is truly secure for controlling only outbound Internet access because password guessing and eavesdropping attacks are likely on inbound access attempts.

Passwords That Can Be Cracked

1.  Systems that rely on passwords for authentication can be cracked (i.e., accessed by an unauthorized user) in a number of different ways:

Ø  Find a way to authenticate without knowing the password

Ø  Uncover the password from the system that holds it

Ø  Guess the password

Passwords Vulnerabilities

1.  Passwords have a number of built-in vulnerabilities. The more obvious ones include:

Ø  Passwords are often easy to guess because they haven’t been thought through by users.

Ø  Passwords are often stored on sticky notes or papers displayed in readily visible areas.

Ø  Passwords can be uncovered by “social engineering”—fooling users into giving out information.

Lax Security Habits

1.  To maintain some level of integrity, some corporations draw up a formal Memorandum of Understanding (MOU) with their partner companies. In an MOU, both parties formally agree to observe a set of rules of behavior. The MOU usually states what outsiders can do on the network or with passwords and states that any other use is forbidden. An MOU spells out who bears responsibility for critical resources as well as system maintenance, and it lists who to contact in case questions arise or help is needed.

Password Security Tools

1.  Password-based authentication can be undone by poor security habits on the part of users who do not manage their passwords well. Such weaknesses can be offset by passwords that are generated for one-time use with each session and then discarded.

One-Time Password Software

1.  The many problems associated with passwords and the ease of cracking them are alleviated by a one-time password. Two types of one-time passwords are available:

·  Challenge-response passwords: The authenticating computer or firewall generates a random number (the challenge) and sends it to the user who enters a secret PIN or password (the response). If the code and PIN or password match the information stored on the authenticating server, the user gains access.

·  Password list passwords: You enter a seed phrase, and the password system generates a list of passwords you can use. You pick one from the list and submit it along with the seed phrase to gain access.

The Shadow Password System

1.  Linux stores passwords in the /etc/passwd file in encrypted format. The passwords are encrypted using a one-way hash function: an algorithm that is easy to compute when encrypting passwords but very difficult to decrypt.

2.  The shadow password system, which is a feature of the Linux operating system that enables the secure storage of passwords, stores passwords in another file that has restricted access. In addition, passwords are stored only after being encrypted by a randomly generated value and an encoding formula. The key is then stored along with the encrypted password. When a user enters a password, it is encrypted using the same formula and then compared to the stored password; if the passwords match, the user is granted access to the requested system resources.

Other Authentication Systems

1.  Most firewalls that are capable of handling authentication make use of one or more well-known systems. Check Point FireWall-1, for instance, handles the two centralized authentication protocols discussed earlier, RADIUS and TACACS+.

One-Time Password Systems

1.  FireWall-1 overcomes the problems associated with a single-password system. Each time the user wishes to authenticate and access resources, a different password is required. As long as the secret key used to generate the password is not divulged, the scheme is secure because hackers cannot pretend to be a particular user by intercepting a password.

Password Systems

Ø  Single Key (S/Key): One-time password authentication system that uses multiple-word rather than single-word passwords

Ø  SecurID: An authentication system, developed by RSA Security Inc., that makes use of a highly touted feature called two-factor authentication

Ø  Axent Pathways Defender: Another two-factor authentication system; it requires the administrator to purchase a Defender Token that is used to enter and submit PIN numbers to the authentication server

Certificate-Based Authentication

1.  FireWall-1 supports the use of digital certificates, rather than passwords, to authenticate users. The organization using FireWall-1 would have to set up a Public Key Infrastructure (PKI) that generates keys to users. The user receives a code called a public key that is generated using the server’s private key and uses the public key to send encrypted information to the server. The server receives the public key and can decrypt the information using its private key.

802.1x Wi-Fi Authentication

1.  IEEE 802.1x is one of the fastest growing standards being used in connection with enterprise networks today. It’s popular because it supports wireless Ethernet connections (sometimes called “Wi-Fi”).

2.  This relatively new protocol is not supported by FireWall-1, but it deserves mention because of the increasing popularity of wireless networks in corporate settings. Wireless networks make it easy for users to connect to the network without having to string cables. At the same time, they present the security administrator with a considerable challenge: without some kind of authentication, any hacker with a laptop computer equipped with a wireless network card that ventures within a few hundred feet of the wireless network can potentially connect to it.

Page 5 of 5