Access Methods and Remote Connectivity
Well-designed networks will always require authentication and access control. You might be internal to the organization or on the road in a hotel. Being outside the organization raises other concerns besides proper authentication, such as confidentiality and privacy. This section discusses an array of topics, including the Password Authentication Protocol (PAP), the Challenge Handshake Authentication Protocol (CHAP), virtual private networks (VPNs), and IP Security (IPSec).
Point-to-Point Protocol (PPP)
PPP is the most commonly used protocol for dial-up connections. It can run on a line of any speed, from POTS to T1. Developed in 1994 by the IETF, PPP is a replacement to Serial Line IP (SLIP). SLIP is capable of carrying only IP and had no error detection, whereas PPP supports many types of authentication, including PAP, CHAP, and EAP.
Password Authentication Protocol (PAP)
This authentication protocol uses a two-way handshake to authenticate a client to a server when a link is initially established. PAP is vulnerable because it sends the password in clear text, which makes it highly vulnerable to snif-fing attacks.
Challenge Handshake Authentication Protocol (CHAP)
CHAP is an improved version of the PAP protocol. It uses a three-way handshake to authenticate both the client and the server. The server uses MD5 to encrypt the challenge with the password stored in its database. The client is also sent the challenge, which it combines with the entered password. This hashed value is returned to the server for comparison. No plain text ever crosses the network. MS-CHAP is an improved version of CHAP that goes a step further by storing the clear-text password in an encrypted form.
Extensible Authentication Protocol (EAP)
EAP makes PPP more robust by adding the capability to implement different types of authentication mechanisms, including digital certificates, token cards, and MD5-Challenge. EAP is used in by 802.11i wireless LAN security protocols such as WPA to authenticate an end user or device. When used in this manner, the wireless access point initiates the EAP protocol. EAP can then negotiate an encryption key, called the pair-wise master key (PMK). When the key has been established, it can be used by the Advanced Encryption Standard (AES) or the Temporal Key Integrity Protocol (TKIP) to encrypt the communication session.
EAP can be implemented in many different ways, including EAP-MD5, EAP-TLS, EAP-SIM, LEAP, PEAP-MSCHAP, and PEAP-GTC. The goal is not for you to memorize each of these in detail, but to understand that, as a CISSP, you must be able to select the appropriate protocol, depending on the policy established for authentication strength. |
Virtual Private Networks (VPNs)
VPNs are used to connect devices through the public Internet. Their primary benefit is that they offer a cost advantage over private lines and T1s by providing the same capabilities as a private network at a much lower cost. The big concern with a VPN is privacy; after all, you're sending your company's traffic over the public Internet. Three protocols are used to provide VPN functionality and security: the Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Tunneling Protocol (L2TP), and Internet Security (IPSec).
When an appropriate protocol is defined, the VPN traffic can be tunneled through the Internet. Two types of tunnels can be implemented:
- LAN-to-LAN tunnels Users can tunnel transparently to each other on separate LANS.
- Client-to-LAN tunnels Mobile users can connect to the corporate LAN.
Having a tunnel is just one part of establishing communication. Another important concept is that of authentication. Almost all VPNs use digital certificates serve as the primary means of authentication. X.509 v3 is the de facto standard. X.509 specifies certificate requirements and their contents. Much like that of a state driver's license office, the Certificate Authority guarantees the authenticity of the certificate and its contents. These certificates act as an approval mechanism.
Just as with other services, organizations need to develop policies to define who will have access to the VPN and how the VPN will be configured. It's important that VPN policies be designed to map to the organization's security policy. Senior management must approve and support this policy.
Remote Authentication Dial-in User Service (RADIUS)
RADIUS was designed for dial-up users and typically used a modem pool to connect to the organization's network. Because of the features RADIUS offers, it is now used for more than just dial-up users. Enterasys uses it for secure network products, and WAPs and 802.11i also widely use it. A RADIUS server contains usernames, passwords, and other information to validate the user. RADIUS is a well-known UDP-based authentication and accountability protocol. Information is passed to RADIUS using PAP or CHAP. The RADIUS client then encrypts the information and sends it to the RADIUS server to be authenticated.
Terminal Access Controller Access Control System (TACACS)
TACACS is an access-control protocol used to authenticate a user logging onto a network. TACACS is a UDP-based protocol that provides authentication, authorization, and accountability. It was originally used in Cisco devices. TACACS is very similar to RADIUS. When TACACS receives an authentication request, it forwards the received username and password to a central database. This database verifies the information received and returns it to TACACS to allow or deny access based on the results. The fundamental reason TACACS did not become popular is because TACACS is a proprietary solution from Cisco, and its use would require the payment of royalties. TACACS+, which is neither proprietary nor compatible with TACACS, was introduced in 1990. TACACS+ is TCP based and offers extended two-factor authentication.
IPSec
IPSec was developed to provide security for IP packets. Without IPSec, someone could capture, read, or change the contents of data packets and then send them back to the unsuspecting target. The current version of IP, IPv4, supports IPSec as an add-on; IPv6 has IPSec built in. IPSec offers its users several levels of cryptographic security:
- Authentication header (AH) Protects data against modification; does not provide privacy
- Encapsulating security payload (ESP) Provides privacy and protects against malicious modification
- Internet key exchange (IKE) Allows secret keys to be exchanged securely before communications begin
Because IPSec can be applied below the application layer, any application can use it. IPSec has two modes of operation:
- Transport mode Functions as a host-to-host connection involving only two machines, which protects just the payload.
- Tunnel mode Protects the payload and the header. In this configuration, IPSec acts as a gateway; traffic for any number of client computers can be carried.