14. 14.13 Authentication Servers
In this video, we want to talk about some different types of authentication servers. First up, let’s consider AAA server. And we’re going to have a couple of categories of AAA servers. And the A’s here stand for authentication asking who are you? Authorization asking what are you allowed to do? And accounting asking what did you do? And together we’re going to be able to use AAA server, either Attackx Plus server or a Radius server to perform these functions on our network as someone is trying to access network resources. So let’s do a side by side comparison of Tacax Plus and Radius. And notice I say tacx plus. There actually is an industry standard of Tacax, but the Tacax Plus variant that is Cisco proprietary. While Radius is an industry standard and each of these servers can perform all of these different functions, we can provide credentials to prove we are who we claim to be.
These servers can say what we are allowed to do once we authenticate ourselves. And then there can be an audit trail that’s the accounting component of AAA that can look back and see what we did. A few more differences between tacx plus and Radius include tacx plus uses TCP, while Radius uses the unreliable UDP. TechX plus separates these different functions, while Radius combines authentication authorization and accounting, tacax plus does two way authentication, doing a challenge and response in each direction. While it’s only one way for Radius, tacax plus is going to encrypt the entire packet. Radius only encrypts the password. And looking at the side by side comparison, you might say, well, obviously Tacax Plus is the clear winner. When would we ever want to use Radius? Well, actually, Radius does show up a lot in our networks.
If we’re doing 802 one X, which is a way of a user gaining access to a network that’s used heavily in wireless networks. In enterprise mode, it’s used when devices are connecting into an Ethernet switch and need to authenticate. They’re probably doing that with a Radius server. Also, Radius servers have more robust accounting features as compared to Takax Plus, but either option will give us authentication authorization and accounting. And there’s another type of authentication server that Comptio wants us to know about the Kerberos system. And this is named after the mythological three headed dog that guards the gates of Hades. And sometimes it’s spelled like this Kerberos. Sometimes you see it spelled with a C and it ends in an Rus, and it’s pronounced Cerboros, but I typically just call it Kerberos. And with Kerberos, let’s say that this client wants to contact and communicate with the file server you see on screen.
And in order for that to work in a Kerberos environment, there’s something called a KDC that we see here a key distribution center. And the key distribution center, it contains a couple of functions. It contains an authentication server and a ticket granting server. And if both the client and the file server trust the KDC, then they can establish a trust relationship with one another and then they can communicate. But the way it starts out, and I’m not going to go through every detail about all the different back and forth exchanges, there are several of them happening here. Let’s take an overview though. What happens here is the client wants to communicate with the file server. So the user gives, let’s say, their username and password credentials.
And Kerberos is going to take those two strings, the username and the password, and it’s going to run them through a hash and that’s a function that’s going to generate a string of text and that text is going to be sent over to the authentication server. Now this is a one way hash. There’s no way to take the hash string and extract from that the original username and password combination. But the authentication server says, oh, this client with this username wants to communicate with this file server. Well, let’s make sure they gave the right password. And the authentication server. It’s going to take the username provided in clear text and the password that the authentication server has stored in its database, and it runs the hash functions on those and it makes sure that the hash value matches the hash value sent over by the client. If it does, we’ve got some assurance that the client is who they claim to be. They’ve provided appropriate username and password credentials. So the authentication server tells the client, okay, you gave the correct password.
I’m going to hand you off now to the ticket granting server. The authentication server says, here’s a key that’s going to be used in your encryption algorithm and here’s a key that’s going to be used when you communicate with the ticket granting server. And also here’s a ticket granting ticket. And by the way, I’ve encrypted the ticket granting ticket with the ticket granting server’s secret key that it does not give to you. So the client, it’s not even able to decrypt the ticket granting ticket, but it’s going to send it over to the ticket granting server and it’s going to say, I’d really like to talk to the fall server. And I’ve got this session key that allows us to talk securely. And here’s this ticket, I cannot read it, but I know you can read it because you can decrypt it with your secret key.
And the ticket granting server says, yes, I can decrypt it because I really am the ticket granting server and I will allow you to communicate with the file server. Here’s a key that you can use to communicate with that file server and that’s encrypted with the client’s key. And here’s a ticket that you can give to the file server and only the file server can decrypt it because it was encrypted with a file server’s secret key. So the client tells the file server, hey, let’s set up this secure communications link. We’re using this secret key. And here’s the ticket I was told to give you. I cannot read it because it’s encrypted with your secret key. And the file server decrypts it and says, yes, now I can read it. Let’s talk. And we establish this communication channel between the client and the file server.
That’s the way that Kerberos traditionally works. However, some implementations that are more recent, instead of using all of these secret keys, we could use a public key certificate system. And with a public key certificate, what happens is, let’s say the file server wants to give a secret key out to the client. Well, it can make that key available freely inside of a digital certificate that the client downloads. The client downloads the certificate, it sees the public key of the file server. So what the client can do, it can create a session key encrypted with the file server’s public key that was made publicly available inside of that certificate and send it to the file server.
Now, here’s the thing. If something is encrypted with the file server’s public key, it can only be decrypted with the file server’s private key, which it does not give anyone. So the file server gets that session key that’s been encrypted with its public key. Only the file server is able to decrypt it.
So it decrypts it, and the file server now has a session key that matches the session key of the client. So now the client and the file server, they can have secure communication between themselves. And so far in this video, we’ve talked about how one client wants to talk to one server or to get to one set of resources and how it’s authenticated to do that. However, in today’s networks, there are lots of things that might need to be authenticated in order to access. For example, let’s say that this client on screen wants to get to an email server or a file server, or maybe some other server on the network. That’s the reason we love the concept of a single sign on.
We have all of the credentials we need to access all the network resources stored on an LDAP server. That stands for a lightweight Directory Access protocol. And the client can authenticate with that LDAP server. And if the email server is integrated with the LDAP server, and the file server is integrated with the LDAP server, then the client has permission to communicate with those servers as well. And a common example of an LDAP server, it’s not the only one, but a common example of an LDAP server is Microsoft’s Active Directory. Also, maybe we have an IP phone and I’m trying to look up somebody’s phone number on the network. Well, since there’s just one single repository of user accounts, the IP phone can look to that LDAP server.
And if it has permission to do so, it can get a listing of users on the network. So by having this single repository of all network users with associated permissions for those users, we can dramatically reduce the administrative overhead of setting up authentication for individual network services. So that’s a load look at three different approaches for accessing network services. We could use AAAA server, which might be Takax plus or Radius. We could use Kerberos with the KDC, the key distribution center. Or we could use single sign on with some sort of an LDAP server.
15. 14.14 User Authentication
In this video. Let’s dig a bit deeper into user authentication. User authentication might be more than just a user providing a username and a password. After all, if you know my username and password, suddenly you’ve got access to all my stuff. Maybe that’s not okay. So what a lot of people are using now is multifactor authentication or MFA. Or you may hear it called twofactor authentication if we’re just using two of these factors. But I’m going to use generically the term multifactor authentication in this video. And this is where authentication is based. Not just on one thing like providing a username and a password, but it could be something like a fingerprint. Let’s take a look at a few examples. One example is we do know a password.
That could be one of our factors. It could be something that we’re in possession of, like some sort of a key card as another example. Or sometimes if you’re trying to access a site on the Internet, you may receive a text message on your phone. Since the text message on your phone shows up and it has this code that you type in the website that shows that you are in possession of your phone. Maybe biometrics are used, something that a user is like a retinal scan or a fingerprint scan. Or maybe on an Apple iPhone it scans your face. It could be based on your location. This is something called geofencing. As an example.
My wife and I, we were on vacation not too long ago and we were in another country and we tried to get Netflix running on our laptop and it didn’t work because it knew I was out of the country. Another factor could be based on what the user does on some smartphones. You take your finger and you can log into that smartphone by drawing a certain pattern on the screen. And here are some examples of ways that a user might be authenticated and they can be stacked to dramatically increase the security of that user account. A user might have to be authenticated just to get access to the network. Consider the standard IEEE 802. One x.
Here we have three main players. We’ve got a Supplicant, an Authenticator and an authentication server. The Supplicant is something like a client. The Authenticator might be the way we access the network. It could be a wireless access point on a wireless network, or it might be an Ethernet switch on a wired network. Now, in this example, we’ve got a layer to switch and the authentication server. That could be something like a Radius server that has a database of username and password combinations. And let’s say the Supplicant wants to access the network. Well, they could send a request to the authentication server and if they are authenticated, the authentication server could tell the authenticator which is the switch in this case. All right, this Supplicant, they’re good people. Let them in. The network in fact, here’s a key that you can use to encrypt traffic between yourself and the client. And this key that’s going to be used by both the authenticator and the supplicant, that’s called a session key. And maybe a user is who they claim to be and they know all of their credentials and they have whatever they’re supposed to have for the multifactor authentication. But we still might not want to let them in the network because the computer or the device that they’re using to try to access the network, it’s not up to spec.
For example, we might be using something like NAC NAC network Access Control and that could check the version of the operating system or the version of the antivirus software running on that operating system. And if it doesn’t meet the minimum specifications, we can reject that user from accessing the network. This is sometimes called posture validation. Another way that’s sometimes used to filter access to the network is Mac address filtering. We could say that specific Mac addresses have access to network resources and if you bring in some laptop from home, they’re not going to be able to access those corporate resources because the Mac address doesn’t match up with the database of approved Mac addresses. This is not super secure though, because it is somewhat trivial on many operating systems to simply spoof your Mac address.
But it does add some extra security. And before we let somebody on the network, we might want them to first go through what’s called a captive portal. You see, oftentimes in hotel environments, you check into your hotel room and they tell you that you have free WiFi. And when you connect to the WiFi and you try to go out to your favorite website, you’re met with a screen that says before you can get on the Internet, we need to know your last name and we need to know your room number. So it’s capturing some information. Even though you have physical access to the network, it’s capturing some information. It’s authenticating you through this portal before you can get anywhere else. So even though you’re using a web browser, this captive portal can intercept your web request and make you authenticate there. And those are a few examples of common user authentication methods.
16. 14.15 Physical Security
As we are securing our network. It’s great to have devices like a firewall and intrusion prevention system, sensor use, strong hashing and encryption algorithms. But something that often gets overlooked or we don’t give it enough attention is physical security. We want to make sure that somebody doesn’t go in and tamper with or walk off with some equipment that we have or gain access to sensitive information. And as a personal confession, I did that at one time when I was working at a university, I left unlocked a storage room. And I thought, nobody’s going to go in that storage room where this equipment is stored because they would have to go through three different doors to get there. It’s very out of the way, but somebody did and they walked off with a lot of expensive networking gear, some a big proponent of physical security.
What can we do to detect something that might be going on? Well, we could put motion detectors in close proximity to doorways or equipment cabinets, places where somebody should not be without authorization. We could also put asset tracking tags on our gear, not just for inventory purposes, but some of these asset tracking tags have passive RFID chips in them. So if somebody carries a piece of equipment through a doorway that’s set up to be a portal, it can detect that that RFID tag went through the door and alert someone. We could have video surveillance keeping an eye on things. In addition to detecting if somebody has tampered with a piece of equipment. As an example, you might have seen something like this when you’re traveling. If you’re traveling internationally, some people put a walk on the zipper pools on their suitcase, or maybe the travel agency in the country for traveling internationally, they might put a wire tie or a zip tie on the zipper pools.
So if somebody were to open that suitcase up and access the contents or add something to the contents, it would be evident that somebody had tampered with it. Well, we can use this kind of thing for our networking gear as well. We could have some sort of a sticker or a seal closing the chassis of perhaps a server. And if somebody were to open that up, or maybe a router chassis. If somebody were to open that up, they would have to break that sticker or that seal. Or we might put a zip tie as well to make sure that nobody has access this without our knowledge. And those are a few detection methods for physical security. How do we prevent it, though? Well, to better prevent any sort of physical security breaches, we can have badges where an employee might have to swipe in to enter a doorway. And that badge not only opens the door, it also logs the fact that this employee was at this doorway at this particular time.
If somebody’s going back and trying to figure out who is in close proximity to a particular event. Maybe somebody has to use biometrics like a fingerprint or a retinal scan to get access to a door. One of the big prevention mechanisms, though, is actually employee training, making sure employees know what to watch out for and not to let unauthorized or unknown personnel access an area or access documents or equipment that they should not be accessing. And one way some bad actors get access to locations they should not have access to is called tailgating. They just walk casually behind somebody that’s going through a door and that person they’re following, they have access. They use their badge or their biometrics. They open the door and this person might be pretending to be a delivery person. They might have a box and say, hey, can you hold the door for me? And they go in and they get through that secure door. To better protect against that, we can have man traps outside of sensitive areas. With a man trap, we have at least two doors in this room, also known as an access control vestibule, by the way. But we have at least two doors. And when you open one door, the other door is locked until the first door is closed. You can only have one door unlocked at any one time. That’s going to prevent somebody from just following you through an open door. And sometimes there may be somebody sitting in that access control vestibule to check credentials of people passing through.
That’s called a man trap or an access control vestibule. And of course, let’s lock things up. That was one of my big mistakes when I let that networking gear walk away. Not only locking doors, but we can lock equipment racks or different cabinets containing equipment. You may have also heard of a smart locker. This is a locker where equipment can be stored. And this equipment might be for disaster recovery or equipment that’s going to be sent out for repair. But it’s going to require somebody to authenticate themselves before they can unlock that locker. They might authenticate themselves using something like a badge or a barcode or a QR code. But we’re going to be able to track when a certain person accessed that smart locker because they authenticated themselves.
And when it’s time to get rid of equipment, we don’t want somebody to be browsing through the hard drive laying out of the dumpster and gain access to sensitive information. So before you throw out equipment that has configurations, documents, anything that might be sensitive, you probably want to erase it. You might want to reset it to a factory default configuration, for example, if it’s a piece of networking gear, because that piece of networking gear might be hard coded with a pre shared key, different access control list configurations, things that you would not want to be made public. And it’s not enough if you’re getting rid of a computer, for example, to just format the hard drive, even though it appears to be erased, most of the data is still there. And a knowledgeable attacker that gains access to that hard drive, they might be able to read a good bit of the information on that hard drive. So we need to sanitize our devices.
For example, a couple of things that I’ve done personally. If I’m getting rid of a server that has hard drives, I often use something called DBAN for Derek’s boot and Nuke, and that’s going to write data over top of any existing data on that hard drive. So there’s not going to be any residual data still lying there. Or sometimes if I’m not going to reuse this hard drive or give it to somebody, if I’m just really wanted to get rid of it, I often take a hammer and I will just hit that hard drive until it rattles inside. I want to shatter those platters on the hard drive, and that’s another way of doing deep sanitation on that device. So in this video, we’ve taken a look at a few ways to detect somebody that might be trying to physically access something they should not access. We talked about ways to prevent that access and how to properly dispose of our networking gear.