CompTIA® Network+ Exam Notes : Authentication And Access Controls

4. Network Security

4.2 Authentication and access controls

Authentication: Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.

Authorization: Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.

Accounting: Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.

Kerberos: Kerberos is an authentication system used to authenticate users that log on to a network. Kerberos is an authentication service developed at MIT. Its purpose is to allow users and services to authenticate themselves to each other. The modules used by Kerberos include Authentication Sever (AS), Key Distribution Center (KDC), Ticket Granting Ticket Service (TGT), and Network Time Protocol (NTP). Kerberos is the default authentication protocol in Windows 2000 and later Microsoft OSs. Windows uses a negotiation mechanism to determine which authentication protocol will be used. If the Kerberos default fails or isn't supported by one of the client or server components involved in an authentication, Windows will fall back to NTLM.

RADIUS: Radius is a protocol that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services. It is an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. RADIUS implements a client/server architecture, where typical client is a router, switch, or AP and the typical server is a Windows or Unix device that is running RADIUS software.

TACACS+: TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. We must have access to and must configure a TACACS+ server before the configured TACACS+ features on a network access server are available. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.

Access Control:

1. Wireless LAN with speeds above 1 Gbps, which can be achieved comfortably by 802.11ac (802.11ac is capable of 1300 megabits per second (Mbps) which is the equivalent of 162.5 megabytes per second (MBps)).

2. There are basically two types of secure access available, one is client based and the other is clientless. Client based uses IPSec and other similar technologies. It derives its name from the fact that a client program needs to be installed on the user computer to secure the communication. A clientless remote network access typically uses SSL (secure socket layer) available from withing the browser windows. You don't need to install any client separately.

3. A port based network access control, in short, PNAC. IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols.

Port security: The purpose of port security is to prevent access to the LAN from un-authorized hosts. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

Access Control Lists (ACL): Access Control List (ACL) refers to a list of ports and services that are available on a host (or a network device such as router), each with a list of hosts and/or networks permitted to use the service. Both nodes (work stations or servers) as well as routers can have access lists. Access lists are used to control both inbound and outbound traffic.

MAC Filtering: In computer networking, Media Access Control MAC Filtering (or EUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.

Multifactor Authentication (MFA): is a method of confirming a user's claimed identity in which a computer user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism

It is very important to know the distinction between Hashing, Digital signature, and Encryption:

  • Hashing produces a small footprint (basically, signature) of the original message. It is used to verify the integrity of a message. Hash is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. In other words, Hash used to ensure that transmitted messages have not been tampered with.
  • Typically, the sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message (by using the same formula that was used to produce the Hash by the sender), and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact.
  • Encryption is used to translate a message in to secret code. To read an encrypted file, you must have access to a secret key that enables you to decrypt it. Encrypted data is referred to as cipher text.

Two main types of encryption are asymmetric encryption (also called public-key encryption) and symmetric encryption:

A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message. A digital signature can be used with encrypted or even un-encrypted message. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

There are three types of cryptographic algorithms that are commonly used. They are:

1. Hashing algorithms

2. Symmetric key-based algorithms

3. Asymmetric key-based algorithms

1. Hashing algorithms: Hashing is not an encryption scheme, but ensures that the transmitted data is not tampered with. Common hash algorithms include the following:

  • Secure Hash Algorithm (SHA, SHA-1): Developed by NSA, SHA-1 can generate a 160-bit hash from any variable-length string of data.
  • MD4, MD5: MD series of encryption algorithms generate a hash of up to 128-bit strength out of any length of data.

2. Symmetric algorithms: As the name suggests, symmetric key algorithms use the same key to encrypt as well as decrypt message. Some of the commonly used symmetric key algorithms are:

  • DES (Data Encryption Standard): DES uses a 56-bit key on each 64-bit chunk of data. It is limited in use due to its short key length.
  • 3DES (Tripple DES): 3DES greatly improves the the security by providing three distinct keys. The total bit strength is 168 bits.
  • AES (Advanced Encryption Standard): AES is successor to DES, and can create keys from 128-bit to 256-bit length.
  • Blowfish Encryption Algorithm: It is another flexible, and secure symmetric encryption algorithm. It can perform encryption with encryption key length up to 448 bits. It can encrypt any length of data chunk.
  • IDEA(International Data Encryption Algorithm): It can encrypt 64-bit blocks of data and uses a 128-bit strength encryption key.
  • RC5, RC6 (Rivest Cipher): These are the most commonly used encryption security ciphers.

3. Assymetric algorithms: Also known as public key algorithms, these algorithms use asymmetric keys for encoding and decoding a message. Given below are some of the popular asymmetric algorithms:

  • RSA algorithm: Widely used for encryption and digital signatures. Uses public key and private key for encryption and decryption.
  • Deffie-hellman Key Exchange: This is one of the early key exchange algorithm.
  • Elliptic Curve Cryptography (ECC): This is another form of asymmetric key algorithm. One advantage of ECC algorithm is that they have very compact, and more efficient compared to RSA
  • Secret key cryptography: In this type a plain-text message can be converted into cipher text (encrypted data) and then converted back into plain text using one key. Thus, two devices share a secret key to encrypt and decrypt their communications.
Secret key cryptography

LDAP: The Lightweight Directory Access Protocol is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory.

Local Authentication: LDAP uses TCP 389 for unsecured communication and 636 for secured communication. An LDAP client starts a session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389. Alternatively, a client may access using secure LDAP communication by using an SSL. This is denoted in LDAP URLs by using the URL scheme "ldaps". The default port for LDAP over SSL is 636.

Various port numbers related to these protocols are as given below:

SMB - 445

POP - 110

IMAP - 143

LDAP - 389

LDAPS - 636

H.323 - 1720

Previous   Contents   Next

Network+ Cram Notes Contents ad