Chapter 2: AAA Security Technologies
Chapter 1 covered security issues that are common to the infrastructure of a network and the counter measures that are needed to mitigate the effects of these issues. This chapter addresses the issues of unauthorized access and repudiation for enterprise environments, which both create a potential for intruders to gain access to sensitive network equipment.
I’ll begin with a detailed examination of Cisco’s authentication, authorization, and accounting (AAA) architecture and the technologies that not only use these features but also provide them. I’ll discuss both of the major protocols used to provide the AAA architecture: TACACS+ and RADIUS. The focus will then shift to configuring network access servers and networking equipment to provide the security features of the AAA architectures. Then, I’ll also examine the Cisco Secure Access Control Server (ACS) software. Cisco Secure Access Control Server is designed to ensure the security of networks and maintain detailed records of the people connecting to your networking devices.
Access Control Security
Access control has long been an issue that has frustrated both administrators and users alike. As networks continue to evolve into a state of convergence, administrators increasingly need flexibility to determine and control access to resources under their care. Administrators are being faced with new situations pertaining to remote access combined with strong security. For example, remote users and telecommuters need to access their corporate networks; they need to be able to work in the same network environment they would be working in if they were sitting at their desks at the office. This creates a significant need for an administrator to effectively give those users flexible and seamless access, yet at the same time, the administrator must have the ability to provide security and resource accountability. Also, within most networks, different administrators have varying responsibilities that require varying levels of access privileges.
There are three components to access control:
.Determining who is allowed access to a network
.Determining what services they are allowed to access
.Providing detailed accounting records of the services that were accessed
Access control is based on a modular architecture known as authentication, authorization, and accounting (AAA). The AAA network security services provide the framework through which you set up access control on your router. As mentioned earlier, AAA is based on a modular architecture; as such, each module will be discussed separately.
Authentication is the process of determining whether someone or something is, in fact, who or what it is declaring to be. In private and public computer networks, authentication is commonly accomplished through the use of logon passwords. The assumption is that knowledge of the password guarantees the authenticity of the user. Each user registers initially using an assigned or self−declared password. On each subsequent use, the user must know and use the previously declared password.
Authentication provides a way of identifying a user, typically by having the user enter a valid username and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user’s authentication credentials with other user credentials stored in a database. If the supplied credentials match, the user is granted access to the network. If the supplied credentials don’t match, authentication fails and network access is denied. The authentication database may be configured either in a local security database, using the username <username>password <password> command discussed in Chapter 1, or with a remote security database, such as a Cisco Secure ACS server.
There are many forms of authentication; the most common is of course the use of usernames and passwords. Username and password combinations can range from very weak to somewhat strong. Other authentication methods provide far stronger security at an increased cost financially and increased complexity from a manageability standpoint. The trade−off is that weaker methods of authentication are often much easier to administer, whereas the stronger methods of authentication involve a greater degree of difficulty to administer. The following list includes the advantages and disadvantages of some of the popular current authentication methods:
Usernames and passwords—This method has been the predominant method of authentication in the client/server environment. This is the least scalable method of
authentication because usernames and passwords need to be assigned for each user and cannot be managed on a groupwide basis. Usernames and passwords may be assigned in a static manner so that they do not change unless they are changed manually by the administrator or user. Or they can be assigned so that after a certain period of time they age out and must be changed by the administrator or user.
Inexpensive and easy to implement.
Can be implemented entirely within software, avoiding the need for extra hardware.
Username and password carried over hashed encryption.
Increasingly prone to “eavesdropping” as username and password travel over the network.
Subject to replay attacks.
Subject to password guessing.
Ineffective password management and controls.
Can be captured by Trojan horses under false pretences.
Susceptible to “Social Engineering.”
Token Cards/Smart Cards—These are typically small credit−card−sized devices that use a hardware−based challenge−response authentication scheme in which the server challenges the user to demonstrate that he possesses a specific hardware token and knows a PIN or passphrase by combining them to generate a response that is valid. This method of authentication has become very popular in recent years.
Ease of use for users; they only need to remember a single PIN to access the token.
Ease of management; there is only one token instead of multiple passwords.
Enhanced security; the attacker requires both the PIN and the token to masquerade as the user.
Mobility; security is not machine specific.
No client−side software needed.
Client is required to carry a token card to use facilities.
Limited life span; tokens must be replaced about every four years.
Ongoing operations cost associated with keeping track of token cards.
Longer time to authenticate the identity of the user because numerous steps are required to authenticate the client.
Digital Certificates—Digital certificates are electronic documents that are generally issued by a trusted third party called a Certificate Authority. The certificates contain information about the user that the Certificate Authority has verified to be true. They consist of a public key denoted by a series of characters, which reside on the user’s computer. When an electronic message is sent from the mobile client to the enterprise, it is signed using the digital certificate. Digital certificates are an essential part of the public key infrastructure (PKI) because PKI manages the process of issuing and verifying the certificates used to grant people and systems access to other systems.
Note Digital certificates will be discussed in detail in Chapter 6, “Internet Security Protocol (IPSec).”
Advantages that Digital certificates provide are as follows:
Validation of file’s creator. Recipients need to know that the sender created the file.
Personalization scalability features.
Industry momentum is growing for digital certificates.
Complicated for most users to install.
Must be installed on every computer.
Not feasible where users share machines.
PAP and CHAP Authentication
Remote access is an integral part of any corporate mission. Traveling salespeople, executives, and telecommuters all need to communicate by connecting to the main office local area network. To make these remote connections, remote users should have appropriate software, protocol stacks, and link−layer drivers installed on their remote access device. Point−to−point links between local area networks can provide sufficient physical connectivity in many application environments. Most corporations provide access to the Internet over point−to−point links, thus providing an efficient way to access their service provider locally. The Internet community has adopted the Point−to−Point Protocol (PPP) scheme for the transmission of IP datagrams over serial point−to−point lines. PPP is a Data Link layer protocol that provides router−to−router and host−to−network connections over synchronous and asynchronous circuits. PPP has the following three main components:
It has a method for encapsulating datagrams over serial links.
Link Control Protocols (LCPs) establish, configure, authenticate, and test datalink connections.
Network Control Protocols (NCPs) establish and configure different Network−layer protocols.
Link Control Protocols are used as a security measure for authentication with PPP and PPP callback. This method of authentication allows the dial−up destination to determine if the dial−up client is correctly authenticated based on a preassigned username and password combination. Point−to−Point Protocol (PPP) currently supports two authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Both PAP and CHAP are specified in RFC 1334. The dial−up destination uses either PAP or CHAP to determine if the dial−up client is authenticated.
PAP provides a simple method for the remote client to establish its identity using a one−way authentication handshake when communication is taking place between a host and an access server; this is detailed in Figure 2.1.
Figure 2.1: One−way PAP authentication.
The PAP authentication process occurs as follows:
1.Incoming client establishes PPP negotiation on the interface configured with PPP encapsulation and informs the access server to use PPP.
2.The network access server determines which authentication method to use. In this case, the network access server tells the remote client to use PAP.
3.The client sends the username and password in cleartext PAP format to the network access server.
4.The network access server compares the values passed to it from the remote client against the values configured within its local database or queries a security server to accept or reject the remote client.
When communication is taking place between two routers, PAP uses a two−way authentication handshake; a username/password pair is repeatedly sent by the peer to the authenticator until the authentication is acknowledged or the connection is terminated. For PAP, this process proves to be an insecure authentication method because the password is passed over the link in cleartext. With PAP, there is no protection from playback.
With CHAP authentication, the access server sends a challenge message to the remote node after the PPP link is established. The access server checks the response against its own calculation of the expected hash value. If the values match, the authentication is accepted. This is detailed in Figure 2.2.
Figure 2.2: Three−way CHAP authentication.
The following list explains the CHAP authentication process:
1.The incoming client establishes PPP negotiation on the interface configured with PPP encapsulation.
2.LCP negotiates CHAP and Message Digest 5 (MD5), and the network access informs the remote client to use CHAP.
3.The remote client acknowledges the request.
4.A CHAP packet is built and sent to the remote client. The CHAP packet contains the following items:
Packet type identifier
Sequential identification number
5.The remote client processes the CHAP challenge packet as follows:
Sequential id is run through a MD5 hash generator.
Random number is run through a MD5 hash generator.
Authentication name is used to determine the password.
Password is run through the MD5 hash generator.
The result is a one−way hash CHAP challenge that will be sent back to the network access server in a CHAP response packet.
6.The CHAP response packet is received by the network access server and the following occurs:
The sequential id number identifies the original challenge.
The sequential id number is run through a MD5 hash generator.
The original random number is run through a MD5 hash generator.
The authentication name is used to look up a password.
The password is run through the MD5 hash generator.
The hash value that was received is then compared against the value the network access server calculated.
7.If authentication was successful, a CHAP success packet is built and sent to the remote client. Likewise, if authentication is unsuccessful, a CHAP failure packet is built and sent to the remote client.
CHAP provides protection against playback attacks through the use of a variable challenge value that is unique and unpredictable. The use of repeated challenges every two minutes during any CHAP session is intended to limit the time of exposure of any single attack. The access server controls the frequency and timing of the challenges.
After authentication, a user must be authorized to do certain tasks. Simply put, authorization is the process of enforcing policies (or giving someone permission to do or have something)—determining what types or qualities of activities, resources, or services a user is permitted. After authenticating into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to do so. Sometimes, authorization can occur within the context of authentication. After you have authenticated a user, she needs to be authorized for different types of access or activity. You configure the network device to control user access to the network so that users can perform only functions that are deemed to be within the context of their authentication credentials.
When authorization takes place, a set of attributes describing what actions a user is authorized to perform is compiled. After a user attempts to gain access to a system, the network device determines and enforces the permissions of the user based on the authorization information contained within the database and the user’s authentication credentials. The assembled attributes may be configured in either a local security database or a remote security database, such as a Cisco Secure ACS server.
Accounting, which is the third major requirement in the AAA security system, is the process of recording what the user does in addition to what the user accesses and for how long. You can also use accounting to measure the resources users consume during their sessions. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is accomplished through logging of session statistics and usage information, and it’s used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities, which form an audit trail when combined. All of the information that is gathered during the accounting phase can be used to provide audit documentation to customers or clients.
An accounting record typically contains the following information:
Start time, stop time, and date
Log origination date and time