Network Authentication & Access Controls | CompTIA Network+ N10-007 | 4.2

In this video you will learn about authentication & access controls such as:  RADIUS, TACACS+, kerberos, SSO, local authentication, LDAP, certificates, auditing & logging, multi-factor authentication, & various access controls such as 802.1x, NAC, port security, MAC filtering, captive portal, & access control lists.

Authorization, Authentication & Accounting (Triple A)

RADIUS

Remote Authentication Dial-In User Service is a network protocol, operating on ports 1812 & 1813, that provides centralized authentication, authorization, and accounting (Triple A) management for users who connect and use a network service.  Users who want access to a network or an online service can contact a RADIUS server and provide a username & password to attempt to gain access.  The server would then authenticate or decline access to the network or service.

TACACS+

Terminal Access Controller Access-Control System refers to a family of related protocols handling protocols for remote authentication and related services for networked access control through a centralized server.  The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks.  A user already authenticated via TACACS into the network was automatically logged into other resources in the system as well.  TACACS in its original form is not very secure and has been updated and replaced by TACACS+ which is a proprietary form by Cisco Systems.

Kerberos

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.  Kerberos was designed primarily for a client-server model to provide mutual authentication where both the user and server verify each other’s identity.  The client authenticates itself to the Authentication Server which forwards the username to a key distribution center (KDC).  The KDC issues a ticket-granting ticket (TGT), which is time stamped and encrypts it using the ticket-granting service’s (TGS) secret key and returns the encrypted result to the user’s workstation.  This is done infrequently, typically at user logon;  the TGT expires at some point although it may be transparently renewed by the user’s session manager while they are logged in.  Kerberos uses UDP port 88 by default.

Single Sign-On (SSO)

SSO is a property of access control of multiple related, yet independent, software systems.  Some SSO implementations require the user to sign in just once, whereas others can detect the correct credentials when the user connects and perform a silent or promptless login.  Some of the benefits and risks of SSO include:

• Benefits
  • Users have fewer username & password combinations to remember.
  • Users get to work faster because they spend less time entering passwords.
  • Users don’t need to ask for assistance from help desk employees because of lost passwords.
  • SSO makes managing the security profiles of individual users easier.
• Risks
  • A compromised SSO password puts all resources accessible with SSO at risk.
  • A disgruntled employee with SSO access can cause problems with all resources accessible with SSO.
  • A lost or forgotten SSO password prevents the employee from doing any work until a new password is set up.

Local Authentication

Local authentication refers to the network device authenticating the user with a database of user account information stored on the device itself; this is often an important fall back method of authentication should another external method fail.^[1]

LDAP (Lightweight Directory Access Protocol)

LDAP is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network.  Domain directory services play an important role in developing intranet and internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.  As such, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory.  Microsoft refers to this as directory services.  LDAP uses port 389.

Certificates

In cryptography, a certificate authority (CA) is an entity that issues digital certificates.  A digital certificate certifies the ownership of a public key by the named subjects of the certificate.  This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key.  A CA acts as a trusted third party — trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.  Trusted certificates can be used to create secure connections to a server via the Internet.  A certificate is essential in order to circumvent a malicious party which happens to be on the route to a target server which acts as if it were the target.  Such a scenario is commonly referred to as a man-in-the-middle attack.  The client uses the CA certificate to authenticate the CA signature on the server certificate, as part of the authorizations before launching a secure connection.^[2]

Auditing & Logging

Network auditing is the process of mapping and inventorying your network in terms of hardware and software.  It’s a fairly complex task that involves manually identifying network elements.  In some cases, network auditing tools can provide automation support to identify the devices and services connected to the network.  In addition to hardware & software, auditing should include security documentation such as user accounts and groups as well as permissions.^[3]

A network log is typically a file that contains a record of events that occurred in an application.  It contains the record of user and process access calls to objects, attempts at authentication, & other activity.^[4]

Multi-Factor Authentication

Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.  Typically, multi-factor authentication works with some combination of the following:

• What the user knows (password or PIN)
• What the user has (smart card or fob)
• Who the user is (biometric data)
• Something the user does (handwriting, signature)
• Where the user is (trusted or untrusted locations)

Access Control

802.1x

IEEE 802.1x is a port-based Network Access Control (PNAC).  It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.  802.1x authentication involves 3 parties:  a supplicant, an authenticator, and an authentication server.  The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN.  The term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator.  The authenticator is a network device that provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point; and the authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client’s connection or setting.  Authentication servers typically run software supporting the RADIUS and EAP protocols.  In some cases, the authentication server software may be running on the authenticator hardware.

NAC (Network Access Control)

NAC is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, & vulnerability assessment), user or system authentication and network security enforcement.^[5]  NAC uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.  NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches & firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed.  A basic form of NAC is the 802.1x standard.

Port Security

By default, all interfaces on a switch are turned on.  That means that an attacker could connect to a network through a wall socket & potentially threaten a network.  If you know which devices will be connected to which ports, a network admin can implement port security.  By using port security, a network admin can associate specific MAC addresses with the interface, which can prevent an attacker from connecting his device.  This way an admin can restrict access to an interface so that only the authorized devices can use it.  If an unauthorized device is connected, an admin can decide what action the switch is to take, for example, discarding the traffic and shutting down the port.^[6]

MAC Filtering

MAC (media access control) filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network.  MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists.  While MAC filtering does give a network some additional protection, it can be circumvented by using a packet analyzer to find a valid MAC address and then using MAC spoofing software to access the network using that MAC address because MAC addresses are not encrypted.

Captive Portal

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of WiFi or a wired network before they are granted broader access to network resources.  Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere to.  Captive portals are used for a broad range of mobile & pedestrian broadband services, including cable and commercially provided WiFi and home hotspots.  A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, & business centers.  A captive portal is not a secure connection.  However, if the terms of service listed are enforced by network configuration settings (for example, settings that block the use of keyboard loggers or remote control apps), it is slightly more secure than an open network.

Access Control Lists (ACL)

An ACL is a list of permissions associated with a system resource (object).  An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.  There are two types of ACLs:^[7]

• Filesystem ACL:  filter access to files and/or directories.  Filesystem ACLs tell operating systems which users can access the system and what privileges the users are allowed.
• Networking ACL:  filter access to the network.  Networking ACLs tell routers & switches which type of traffic can access the network and which activity is allowed.

References

1. Sequeira, A. (2018). CompTIA Network+ N10-007 Cert Guide.
2. Villanueva, J. (2015). How do Digital Certificates Work – An Overview. JScape.
3. Herrick, S. (2020). What is a Network Audit? When Do You Need One? Data Centers.
4. Lidster, W. Network Logging: Definition & Tools. Study.
5. Port Based Network Access Control. 802.1X.
6. Port Security. Study CCNA.
7. Access Control List (ACL).  Imperva.