Chapter 13: Authentication and

Access Control• Click to edit Master subtitle

Instructor: style
 Chapter 13 Objectives
• The Following CompTIA Network+ Exam Objectives
Are Covered in This Chapter:
• 3.3 Given a scenario, implement network hardening
techniques
• • Switch port security
• o MAC address filtering
• • Use secure protocols
• o TLS/SSL
• • Access lists
• o IP filtering
• o Port filtering
• • User authentication
• o CHAP/MSCHAP
• o EAP
• o Kerberos
• o Multifactor authentication
• o Two-factor authentication
• o Single sign-on 2
Chapter 13 Objectives (Cont)
• 5.10 Given a scenario, configure and apply the appropriate ports and protocols
• • 3389 RDP
• • 22 SSH
• 1.2 Compare and contrast the use of networking services and applications
• • VPN
• o Site to site/host to site/host to host
• o Protocols
• - IPsec
• - GRE
• - SSL VPN
• - PTP/PPTP
• • TACACS/RADIUS
• • RAS
• • Web services
• • Unified voice services
• • Network controllers
• 3.6 Explain the purpose of various network access control models
• • 802.1x
• • Posture assessment
• • Guest network
• • Persistent vs non-persistent agents
3
• • Quarantine network
• • Edge vs access control
 Security Filtering
How do we know who’s really at the other end of our connections?

The answer to the question may seem simple enough because the
computer or person on the other end of the connection has to
identify him/her/itself, right?

Wrong!

That’s just not good enough, because people—especially hackers

—lie!

The first line of defense is called security filtering,

which broadly refers to ways to let people securely
access your resources.
4
 Access Control Lists (ACLs)
A can access B,
B can access if a secure
authenticated
connection is detected.

Network B Network A
“Public” Network “Private” Network
Router

• Firewalls are tools implemented to prevent unauthorized users from

gaining access to your private network.
• Firewalls can either be stand-alone devices or combined with
another hardware device like a server or a router.
• Firewalls can use a lot of various technologies to restrict information
flow; the primary method is known as
an access control list (ACL).
• ACLs typically reside on routers to determine which devices are
allowed to access them based on the requesting device’s Internet
Protocol (IP) address. 5
 Tunneling

Internet

Single Private Path or Tunnel

Through the Internet
• Tunneling is a concept which means encapsulating one protocol
within another to ensure that a transmission is secure.
• Here’s an example:
The lion’s share of us use IP, known as a payload protocol, which
can be encapsulated within a delivery protocol like Internet
Protocol Security (IPSec).
If you took a look at each packet individually, you would see
6
that
they’re encrypted.
 Tunneling Protocols
• There are several tunneling protocols implemented you need
to be familiar with:

– Virtual Private Network (VPN)

– Secure Sockets Layer (SSL)
– Secure Sockets Layer Virtual Private Network (SSL VPN)
– Layer 2 Tunneling Protocol (L2TP)
– Point to Point Tunneling Protocol (PPTP)
– Internet Protocol Security (IPSec)Section

7
 Virtual Private Network (VPN)
Use a VPN is so a host can traverse an insecure network
(Internet) and become local to the remote network

Secure VLAN at
Dallas Corporate Office
Servers

Internet
Now my host appears
local to the servers.
VPN

My host In
Colorado Secure Server Room

8
Virtual Private Network (VPN)
Use a VPN is so a host can traverse an insecure network
(Internet) and become local to the remote network

• Remote access VPNs

– Remote access VPNs allow remote users like
telecommuters to securely access the corporate network
wherever and whenever they need to.
• Site-to-site VPNs
– Site-to-site VPNs, or intranet VPNs, allow a company to
connect its remote sites to the corporate backbone
securely over a public medium like the Internet instead of
requiring more expensive wide area network (WAN)
connections like frame relay.
• Extranet VPNs
– Extranet VPNs allow an organization’s suppliers,
partners, and customers to be connected to the corporate
network in a limited way for business-to-business (B2B)
communications.

9
 SSL and SSL VPN
• Secure Sockets Layer (SSL). This security protocol was
developed by Netscape to work with its browser. It’s based
on Rivest, Shamir, and Adleman (RSA) public-key encryption
and used to enable secure Session-layer connections over
the Internet between a web browser and a web server.

Connection Request

Secure Connection Needed

Security Capabilities

SSL Session Established

PC Server

The SSL connection process

•An SSL VPN is really the process of using SSL to create a10
Virtual Private Network (VPN).
 IPSec – Tunnel Mode
• In tunnel mode, the complete packet is encapsulated
within IPSec.
• ESP gives us both authentication and encryption.
• Tunnel mode is created between two endpoints, such
as two routers or two gateway servers, protecting all
traffic that goes through the tunnel

11
Figure 13.5
 L2TP and PPTP
• L2TP
– Layer 2 Tunneling Protocol (L2TP) created by the
Internet Engineering Task Force (IETF), supports non-
TCP/IP protocols in VPNs over the Internet.
– L2TP is a combination of Microsoft’s Point-to-Point
Tunneling Protocol (PPTP) and Cisco’s Layer 2
Forwarding (L2F) technologies.

• PPTP
– Point-to-point Tunneling Protocol was developed jointly
by Microsoft, Lucent Technologies, 3COM, and a few
other companies.
– Not sanctioned by the IETF
– PPTP acts by combining an unsecured Point-to-Point
Protocol (PPP) session with a secured session using the
Generic Routing Encapsulation (GRE) protocol.

13
 IPSec
IP Security (IPSec) was designed by the IETF for providing
authentication and encryption over the Internet.
It works at the Network layer of the OSI model (Layer 3) and
secures all applications that operate in the layers above it.

• IPSec works in two modes: transport mode and tunnel mode.

• Transport mode is the simpler of the two;
it creates a secure IP connection between two hosts.
• The data is protected by authentication and/or encryption

14
 IPSec – Tunnel Mode
• In tunnel mode, the complete packet is encapsulated
within IPSec.
• ESP gives us both authentication and encryption.
• Tunnel mode is created between two endpoints, such
as two routers or two gateway servers, protecting all
traffic that goes through the tunnel

15
 Encryption

• Encryption works by running the data (which when encoded

is represented as numbers) through a special encryption
formula called a key that the designated sending and
receiving devices both “know.” When encrypted data
arrives at its specified destination, the receiving device
uses that key to decode the data back into its original form.

• An encryption key is essentially a table or formula that

defines a specific character in the data that translates
directly to the key. Encryption keys come in two flavors:
public and private.

16
 Encryption Standards
Data Encryption Standard (DES)
• IBM developed the most widely used private-key systems:
Data Encryption Standard (DES).
– It was made a standard in 1977 by the U.S government.
• DES uses lookup and table functions and works much faster
than public-key systems.
• DES uses 56-bit private keys.

Triple Data Encryption Standard (3DES)

• Triple Data Encryption Standard was originally developed in
the late 1970s
• The recommended method of implementing DES encryption
in 1999.
• 3DES encrypts three times, and it allows us to use one, two,
or three separate keys.
• 3DES is slow.

17
Encryption Standards (Cont)
Advanced Encryption Standard (AES)
• The Advanced Encryption Standard (also known as
Rijndael) has been the “official” encryption standard in
the United States since 2002.
• AES has key lengths of 128, 192, or 256 bits.
• The United States government has determined that
128-bit security is adequate for things like secure
transactions and all materials deemed Secret
• All Top Secret information must be encoded using 192-
or 256-bit keys.
• The AES standard has proven amazingly difficult to
crack.

18
 Public Key Encryption
Original Message Original Message
Encrypted Using Decrypted Using
User Y’s Public Key User Y’s Private Key
Y&Z! milk
8:”>) bread
(hb&gf eggs
%^dcyH cat food
98Y

User X Don’t >_<l) User Y

forget (+<&n_
the (^utrfyt
chocolate! r&(%pG
UDOPJ

Reply Message Reply Message

Encrypted Using Decrypted Using
User X’s Public Key User X’s Private Key
• Public key encryption uses the Diffie-Hellman algorithm employing a public key and a
private key to encrypt and decrypt data.
• The sending machine’s public key is used to encrypt a message to the receiving machine
• The receiver decrypts the message with its private key.
• If the original sender doesn’t have a public key, the message can still be sent with a
digital certificate, often called a digital ID, which verifies the sender of the message.

19
Pretty Good Privacy (PGP)
Encrypted with
Session Key
Encryption
Process
Document

Encrypted with
Key Store
Public Key
Clphertext + Encrypted
Session Key
Encrypted Recipient’s
Session Key Private Key

Decryption
Process
Encrypted
Message

Session Key to
Clphertext Decrypt Clphertext
Document
20
 RAS
Remote
Access Server

Remote
Resources
Remote
Access Client

• Remote Access Services (RAS) is not a protocol but refers to the

combination of hardware and software required to make a remote-access
connection.
• The term was popularized by Microsoft when the company began referring to
its Windows NT–based remote-access tools under this name.
– Users would dial in via a modem.
– Be authenticated by the server.
– Asked for their username and password as if they were on the local network.
– Once logged in, users had access to data on the internal network just as if they
were logged in locally.

21
 Remote Access
RDP
• Remote Desktop Protocol (RDP) allows users to connect
to a computer running Microsoft’s Terminal Services. Most
Windows-based operating systems include an RDP client
• After establishing a connection, the user sees a terminal
window that’s basically a preconfigured window that looks
like a Windows or other operating system’s desktop.
PPP
• Point to Point Protocol (PPP) is a Layer 2 protocol that
provides authentication, encryption, and compression
services to clients logging in remotely.
PPPoE
• Point to Point Protocol over Ethernet (PPPoE) is an
extension of PPP. Its purpose is to encapsulate PPP
frames within Ethernet frames.

22
 Remote Access
ICA
• Independent Computing Architecture (ICA) is a protocol
designed by Citrix Systems to provide communication
between servers and clients.
• Citrix’s WinFrame uses ICA to allow administrators to set up
Windows applications on a Windows-based server and then
allow clients with virtually any operating system to access
those applications.
SSH
• Designed as an alternative to command-based
utilities such as Telnet that transmit requests and responses
in clear text
• Creates a secure channel between the devices and provides
confidentiality and integrity of the data transmission. It uses
public-key cryptography to authenticate the remote
computer and allow the remote computer to authenticate the
user, if necessary.

23
User Account and Resource
Security
• Network Resource-Sharing Security Models
– Share-Level Security
– User-Level Security
• Managing User Accounts
– Disabling Accounts
– Setting Up Anonymous Accounts
– Limiting Connections
– Renaming the Maintenance Account
• Managing Passwords
– Minimum Length
– Complexity

24
 User-Authentication Methods
Public Key Infrastructure (PKI)

Certificate Authority

Message
Certificate

Mike Jeff

Jeff can verify that the

message with the
certificate from Mike is
valid if he trusts the CA.

• Public Key Infrastructure (PKI) is a system that links users to

public key that verifies the user’s identity by using a certificate
authority (CA).
• The CA as an online entity responsible for validating user IDs
and issuing unique identifiers to confirmed individuals to 25certify
that their identity can really be trusted.
Chapter 13
PKI in action
Figure 13.12
Public Key Encryption at Work

This message This message

is for Jenny… ehyeosy is for Jenny…
Ayg9us3
el48vye

Joe creates a The data gets

message for sent across Jenny can read
Jenny. the wire. the message.
1 Joe uses 3 Jenny uses her 5
Jenny’s Public Private key to
key to encrypt decrypt the
the message. message.
2 4
User-Authentication Methods
Kerberos

1
2
3
4

Client Authentication Server Application Server

1 Request for ticket granting ticket 4 Application ticket returned by ticket-

(TGT)
2 TGT returned by authentication
service
3 Request for application ticket
(authenticated with TGT)
granting service
5 Request for service
(authenticated with application ticket)

27
Authentication, Authorization,
and Accounting (AAA)
RADIUS
• Although its name implies it, Remote Authentication
Dial-In User Service (RADIUS) is not a dial-up server,
it’s evolved into more of a verification service.
• RADIUS is an authentication and accounting service
used for verifying users over various types of links,
including dial-up.
• RADIUS servers are a client-server based
authentication and encryption services and maintains
user profiles in a central database.
• RADIUS is also used in firewalls to verify the
credentials given; if successful, access is granted

28
 Authentication, Authorization,
and Accounting (AAA)
TACACS+
• The Terminal Access Controller Access-Control System Plus
(TACACS+) protocol is an alternative AAA method to RADIUS.
• TACACS+ separates the two authentication and authorization
into two profiles (RADIUS uses one profile),.
• TACACS+ utilizes the connection-based TCP protocol
(RADIUS uses UDP).
• TACACS+ is considered more stable and secure than RADIUS.

29
Network Access Control (NAC)

• Network Access Control (NAC) is a method of securing

network hosts before they’re allowed to access the
network.
• NAC is commonly used in implementations in wireless
networking, where nodes are often added to and
removed from the network freely.
• IEEE 802.1x is one of the most common forms of NAC

30
 Challenge Handshake
Authentication Protocol (CHAP)
• Challenge Handshake Authentication Protocol (CHAP) is a
secure authentication protocol because with CHAP, the
username and password never cross the wire. Instead,
both the client and server are configured with the same
text phrase that’s known as a shared secret.

31
 Other AAA
MS-CHAP
• Microsoft has its own variation of CHAP known as Microsoft
Challenge Handshake Authentication Protocol (MS-CHAP).
• Unlike CHAP, which requires the shared secret to be stored
locally in clear text, MS-CHAP encrypts the secret locally.
• MS-CHAP version 2 is capable of mutual authentication so
that the client can be sure the server is legitimate as well.

Extensible Authentication Protocol (EAP)

• Extensible Authentication Protocol (EAP) is an extension to
PPP providing additional authentication methods for remote
access clients:
– Smart cards
– Certificates
– Kerberos
– Biometric schemes (retinal scans and fingerprint)
32
 Summary

• Summary
• Exam Essentials Section
• Written Labs
• Review Questions

33