Chapter 8. Physical Security and Authentication Models

I suppose that at times life on this planet is all about proving oneself. The world of security is no different. To gain access to an organization’s building and ultimately to its resources, you must first prove yourself in a physical manner, providing indisputable evidence of your identity. Then, perhaps you can gain access by being authenticated, as long as the system authenticating you accepts your identification. Finally, if all this goes through properly, you should be authorized to specific resources such as data files, printers, and so on.

Some people use the terms identification, authentication, and authorization synonymously. Although this might be somewhat acceptable in everyday conversation, we need to delve a bit deeper and attempt to make some distinctions between the three.

• Identification—When a person is in a state of being identified. It can also be described as something that identifies a person such as an ID card.

• Authentication—When a person’s identity is confirmed or verified through the use of a specific system. Authorization to specific resources cannot be accomplished without previous authentication of the user. This might also be referred to as access control, but generally authentication is considered to be a component of access control.

• Authorization—When a user is given permission to access certain resources. This can be accomplished only when authentication is complete.

The CompTIA Security+ exam concentrates most on the terms authentication and access control. This chapter focuses mostly on the authentication portion of access control. The rest of access control is covered in Chapter 9, “Access Control Methods and Models.”

First, we cover the physical ways that a person can be authenticated. Then, we move on to ways that a person can be authenticated to a computer network, whether they are attempting to connect locally (for example, on the LAN), or if they are connecting remotely (for example, via a VPN).

Authentication is required to gain access to a secure area of the building or to gain access to secure data. A person might authenticate themselves in one of several ways depending on the authentication scheme used, by presenting one of the following:

• Something the user knows—Such as a password or pin

• Something the user has—Such as a smartcard or ID card

• Something the user is—Such as a thumbprint or retina scan or other biometric

• Something the user does—Such as a signature or voice recognition

Where a person is will also affect the authentication process. In this chapter, we cover local and remote types of authentication methods.

Another term you might hear in your travels is identity proofing, which is an initial validation of an identity. For example, if employees working for the government tried to enter a restricted building, the first thing they would do is show their ID. A guard or similar person would then do an initial check of that ID. Additional authentication systems would undoubtedly ensue. Identity proofing is also when an entity validates the identity of a person applying for a certain credential with that entity. It could be used for anonymous access as well.

As you go through this chapter and read about the following physical and logical authentication technologies, try to remember this introduction and apply these concepts to each of those authentication types.

Foundation Topics: Physical Security

To control access, physical security can be considered the first line of defense, sort of like a firewall is the first line of defense for a network. Implementing physical access security methods should be a top priority for an organization. Unfortunately, securing physical access to the organization’s building sometimes slumps to the bottom of the list. Or a system is employed, but it fails to mitigate risk properly. In some cases, the system is not maintained well. Proper building entrance access and secure access to physical equipment is vital. And anyone coming and going should be logged and surveyed. Let’s discuss a few of the ways that we can secure physical access to an organization’s building.

General Building and Server Room Security

Protecting an organization’s building is an important step in general security. The more security a building has, the less you will have to depend on your authentication system. A building’s perimeter should be surveyed for possible breaches; this includes all doors, windows, loading docks, and even the roof. The area around the building should be scanned for hiding places; if there are any they should be removed. The area surrounding the building should be well lit at night. Some companies may opt to use security guards and guard dogs. It is important that these are trained properly; usually an organization will enlist the services of a third party. Video surveillance can also be employed to track an individual’s movements. Video cameras should be placed on the exterior perimeter of the building in an area hard to access, for example 12 feet or higher with no lateral or climbing access. The more hidden the cameras are the better. Video cameras can also be placed inside the building especially in secure areas such as executive offices, wiring closets, and server rooms, and research and development areas. Many organizations use closed circuit television (CCTV) but some will opt for a wired/wireless IP-based solution. Either way, the video stream may be watched and recorded, but it should not be broadcast. Video cameras are an excellent way of tracking user identities. Motion detectors are also common as part of a total alarm system. They are often infrared-based (set off by heat) or ultrasonic-based (set off by certain higher frequencies). We could go on and on about general building security, but this chapter focuses on authentication. Besides, I think you get the idea. If your organization is extremely concerned about building security, and doubts that it has the knowledge to protect the building and its contents properly, consider hiring a professional.

The server room is the lifeblood in today’s organizations. If anything happens to the server room, the company could be in for a disaster. We talk more about how an organization can recover from disasters in Chapter 14, “Redundancy and Disaster Recovery,” but the best policy is to try to avoid disasters before they happen. So there are some things you should think about when it comes to server room security. First, where is the server room to be placed? It’s wise to avoid basements or any other areas that might be prone to water damage. Secondly, the room should be accessible only to authorized IT persons. This can be accomplished by using one of many door access systems. The room should also have video surveillance saved to a hard drive located in a different room of the building or stored off site. All devices and servers in the server room should have complex passwords that only the authorized IT personnel have knowledge of. Devices and servers should be physically locked down to prevent theft. We talk more about server room security and building security in Chapter 14 and Chapter 15, “Policies, Procedures, and People.” However for now, door access is the number one way to stop intruders from getting into the building or server room. If the system is set up properly, the intruder cannot be authenticated. Let’s talk about door access in a little more depth.

Door Access

Lock the door! Sounds so simple, yet it is often overlooked. As a person in charge of security for a small business or even a mid-sized business, you have to think about all type of security, including entrances to the building. Door locks are essential. When deciding on a locking system to use, you should take into account the type of area your building is in and the crime rate, and who will have authorized access to the building. If you purchase regular door locks that work with a key, it is recommended that you get two or three of them. The first one should be tested. Can you break in to it with a credit card, jeweler’s screwdriver, or other tools? And a backup should always be on hand in case the current door lock gets jimmied in an attempt to force a break-in. Cipher locks are a decent solution when regular key locks are not enough, but you don’t want to implement an electronic system. The cipher lock uses a punch code to lock the door and unlock it. Though it will have a relatively low amount of combinations, that they have to be attempted manually makes it difficult to get past them.

Of course, many companies get more technical with their door access systems. Electronic access control systems such as cardkey are common. These use scanning devices on each door used for access to the building. They read the cardkeys that you give out to employees and visitors. These cardkeys should be logged; it should be known exactly who has which key at all times. The whole system is guided by a cardkey controller. This controller should be placed in a wiring closet or in a server room, and that room should be locked as well (and protected by the cardkey system). Some companies implement separate cardkey systems for the server room and for the main entrances. Some systems use ID badges for identification and authentication to a building’s entrance. They might have a magnetic stripe similar to a credit card, or they might have a barcode, or use an RFID chip. A key card door access system is another good practice for tracking user identities.

Another possibility is the smart card. The smart card falls into the category of “something a person has,” and is known as a token. It’s the size of a credit card and has an embedded chip that stores and transacts data for use in secure applications such as hotel guest room access, prepaid phone services, and more. Smart cards have multiple applications, one of which is to authenticate users by swiping the device against a scanner, thus securing a computer or a computer room. It might also be used as part of a multifactor authentication scheme in which there is a combination of username/password (or PIN) and a smart card. Advanced smart cards have specialized cryptographic hardware that uses algorithms such as RSA and 3DES but will generally use private keys to encrypt data. (More on encryption and these encryption types later in Chapter 12, “Encryption and Hashing Concepts.”) A smart card might incorporate a processor or an RFID chip as well. A smart card security system will usually be composed of the smart card itself, smart card readers, and a back-office database that stores all the smart card access control lists and history.

Older technologies use proximity sensors, but this is not considered very secure today. However, the more complex the technology, the more it will cost. Quite often, in these situations, budgeting becomes more important to organizations than mitigating risk; and generally the amount of acceptable risk increases as the budget decreases. So, you will probably see proximity-based door access systems. HID (also known as HID Global) is an example of a company that offers various levels of door access control systems. Figure 8-1 shows an example of a proximity-based door access card.

Figure 8-1. Example of a Proximity-Based Door Access Card

To increase security of the entrances of the building, some organizations implement mantraps, which is an area between two doorways, meant to hold people until they are identified and authenticated. This might be coupled with security guards, video surveillance, multifactor authentication, and sign-in logs. The main purpose of a physical access log or sign-in log is to show who entered the facility and when.

Door access systems are considered by many to be the weakest link in an enterprise. This can be taken to the next level by also incorporating biometrics, thus creating a different type of multifactor authentication scheme.

Biometric Readers

Biometrics is the science of recognizing humans based on one or more physical characteristics. Biometrics is used as a form of authentication and access control. It is also used to identify persons that might be under surveillance.

Biometrics falls into the category of “something a person is.” Examples of bodily characteristics that are measured include fingerprints, retinal patterns, iris patterns, and even bone structure. Biometric readers, for example fingerprint scanners, are becoming more common in door access systems and on laptops or as USB devices. Biometric information can also be incorporated into smart card technology. An example of a biometric door access system is Suprema, which has various levels of access systems including some that incorporate smart cards and biometrics, together forming a multifactor authentication system. One example of biometric hardware for a local computer is the Microsoft Fingerprint Scanner, which is USB-based.

Biometrics can be seen in many movies and TV shows. However, many biometric systems over the past decade have been easily compromised. It has only been of late that readily available biometric systems have started to live up to the hype. Thorough investigation and testing of a biometric system is necessary before purchase and installation. In addition, it should be used in a multifactor authentication scheme. The more factors the better, as long as your users can handle it. (You would be surprised what a little bit of training can do.) Voice recognition software has made great leaps and bounds since the turn of the millennium. A combination of biometrics, voice recognition, and pin access would make for an excellent three-factor authentication system. But as always, only if you can get it through budgeting!

Authentication Models and Components

Now that we’ve covered some physical authentication methods, let’s move into authentication models, components and technologies used to grant or deny access to operating systems and computer networks.

The first thing a security administrator should do is plan what type of authentication model they will use. Then, consider what type of authentication technology and how many factors of authentication will be implemented. Also for consideration is how the authentication system will be monitored and logged. Getting more into the specifics, will only local authentication be necessary? Or will remote authentication also be needed? And which type of technology should be utilized? Will it be Windows-based or a third-party solution? Let’s discuss these concepts now and give some different examples of the possible solutions you can implement.

Authentication Models

A lot of small businesses and even some midsize businesses often have one type of authentication to gain access to a computer network—the username and password. In today’s security conscious world, this is not enough for the average organization. Some companies share passwords or fail to enforce password complexity. In addition password cracking, programs are becoming more and more powerful and work much more quickly than they did just five years ago, making the username and password authentication scheme limiting. Not to say that it shouldn’t be used but perhaps it should be enforced, enhanced, and integrated with other technologies.

Because of the limitations of a single type of authentication such as username and password, organizations will sometimes use multiple factors of authentication. Multifactor authentication is when two or more types of authentication are used when dealing with user access control. An example of multifactor authentication would be when a user needs to sign in with a username and password and swipe some type of smart card or use some other type of physical token at the same time. Adding factors of authentication makes it more difficult for a malicious person to gain access to a computer network or an individual computer system. Sometimes an organization uses three factors of authentication; perhaps a smartcard, biometrics, and a username/password. The disadvantages of a multifactor authentication scheme are that users need to remember more information and remember to bring more identification with them, and more IT costs and more administration will be involved.

Some organizations have several or more computer systems that an individual user might need access to. By default, each of these systems will have a separate login. It can be difficult for users to remember the various logins. Single sign-on (SSO) is when a user can log in once but gain access to multiple systems without being asked to log in again. This is complemented by single sign-off, which is basically the reverse; logging off signs a person off of multiple systems. Single sign-on is meant to reduce password fatigue, or password chaos, which is when a person can become confused and possibly even disoriented when having to login with several different usernames and passwords. It is also meant to reduce IT help desk calls and password resets. By implementing a more centralized authentication scheme such as single sign-on, many companies have reduced IT costs significantly. If implemented properly, single sign-on can also reduce phishing. In large networks and enterprise scenarios, it might not be possible for users to have a single sign-on, and in these cases it might be referred to as reduced sign-on. Single sign-on can be Kerberos-based, integrated with Windows authentication, or token- or smart card-based.

Whatever the type of authentication scheme used, it needs to be monitored periodically to make sure that it’s working properly. The system should block people who cannot furnish proper identification and should allow access to people who do have proper identification. Sometimes there are failures in which an authentication system will improperly authenticate people. A few examples of these include the following:

• False positive—This is when a system authenticates a user who should not be allowed access to the system. This is also known as a Type I error.

• False negative—This is when a system denies a user who actually should be allowed access to the system. This is known as a Type II error.

The previous two examples are the ones you should know for the exam. Other terminology used when dealing with authentication systems includes true positive, which is when legitimate persons are authenticated properly and given access to the system, and true negative, which is when illegitimate persons are denied access as they should be. Both of these are proper functions so they usually don’t come up as a conversation piece.

The type of authentication technology used will factor into the amount of false positives and false negatives that occur in any authentication scheme. Let’s talk about some of those authentication technologies now.

Localized Authentication Technologies

There are several types of technologies for authenticating a user to a local area network. Examples that are software-based including LDAP and Kerberos, whereas an example that includes physical characteristics would be 802.1X. Keep in mind that there is a gray area between localized and remote authentication technologies. I’ve placed each technology in the category that it is used the most commonly.

During this section and the next one, we mention several encryption concepts that work with the various authentication technologies. These encryption concepts and protocols will be covered in detail in Chapter 12 and Chapter 13, “PKI and Encryption Protocols.”

802.1X and EAP

802.1X is an IEEE standard that defines port-based Network Access Control (PNAC). Not to be confused with 802.11x WLAN standards, 802.1X is a Data Link Layer authentication technology used to connect hosts to a LAN or WLAN. It all starts with the central connecting device such as a switch or wireless access point. These devices must first enable 802.1X connections; they must have the 802.1X protocol (and supporting protocols) installed. Vendors that offer 802.1X-compliant devices (for example switches and wireless access points) include Cisco, Symbol, and Intel. Next, the client computer needs to have an operating system, or additional software, that supports 802.1X. The client computer is known as the supplicant. Examples of operating systems that support 802.1X include Windows XP, Windows Vista, and Windows 7, though each comes with its own set of advantages and disadvantages. Mac OS X offers support as well, and Linux computers can use Open1X to enable client access to networks that require 802.1X authentication.

802.1X encapsulates the Extensible Authentication Protocol (EAP) over wired or wireless connections. EAP is not an authentication mechanism in itself, but instead defines message formats. 802.1X is the authentication mechanism and defines how EAP is encapsulated within messages. An example of an 802.1X-enabled network adapter is shown in Figure 8-2. In the figure, you can see that 802.1X has been checked, and that the type of network authentication method for 802.1X is EAP.

Figure 8-2. Example of an 802.1X-Enabled Network Adapter in Windows Vista

Following are three components to an 802.1X connection:

• Supplicant—A software client running on a workstation

• Authenticator—A wireless access point or switch

• Authentication server—An authentication database, most likely a RADIUS server

The typical 802.1X authentication procedure has four steps. The components used in these steps are illustrated in Figure 8-3.

Figure 8-3. Components of a Typical 802.1X Authentication Procedure

Step 1. Initialization—If a switch or wireless access point detects a new supplicant, the port connection enables port 802.1X traffic; other types of traffic are dropped.

Step 2. Initiation—The authenticator (switch or wireless access point) periodically sends EAP requests to a MAC address on the network. The supplicant listens for this address and sends an EAP response that might include a user ID or other similar information. The authenticator encapsulates this response and sends it to the authentication server.

Step 3. Negotiation—The authentication server then sends a reply to the authenticator. The authentication server specifies which EAP method to use. (these are listed next.) Then the authenticator transmits that request to the supplicant.

Step 4. Authentication—If the supplicant and the authentication server agree on an EAP method, the two transmit until there is either success or failure to authenticate the supplicant computer.

Following are several types of EAP authentication:

• EAP-MD5—This is a challenge-based authentication providing basic EAP support. It enables only one-way authentication and not mutual authentication.

• EAP-TLS—This version uses Transport Layer Security, which is a certificate-based system that does enable mutual authentication. This does not work well in enterprise scenarios because certificates must be configured or managed on the client- and server side.

• EAP-TTLS—This version is Tunneled Transport Layer Security and is basically the same as TLS except that it is done through an encrypted channel, and it requires only server-side certificates.

• EAP-FAST—This uses a protected access credential instead of a certificate to achieve mutual authentication. FAST stands for flexible authentication via secure tunneling.

• PEAP—This is the protected extensible authentication protocol. It competes with TTLS and includes legacy password-based protocols.

Cisco also created a proprietary protocol called LEAP (Lightweight EAP), and it is just that—proprietary. To use LEAP, you must have a Cisco device such as an Aironet WAP or Catalyst switch, or another vendor’s device that complies with the Cisco Compatible Extensions program. Then you must download a third-party client on Windows computers to connect to the Cisco device. Most WLAN vendors offer an 802.1X LEAP download for their wireless network adapters.

Although 802.1X is often used for port-based network access control on the LAN, especially VLANs, it can also be used with VPNs as a way of remote authentication. Central connecting devices such as switches and wireless access points remain the same, but on the client side 802.1X would need to be configured on a VPN adapter, instead of a network adapter.

Many vendors, such as Intel and Cisco, refer to 802.1X with a lowercase x; however, the IEEE displays this on its website with an uppercase X. The protocol was originally defined in 2001 (802.1X-2001) and has been redefined in 2004 and 2010 (802.1X-2004 and 802.1X-2010, respectively). There are several links to more information about 802.1X at the end of the chapter.

LDAP

The Lightweight Directory Access Protocol (LDAP) is an Application Layer protocol used for accessing and modifying directory services data. It is part of the TCP/IP suite. Originally used in WAN connections, it has developed over time into a protocol commonly used by services such as Microsoft Active Directory on Windows Server domain controllers. LDAP acts as the protocol that controls the directory service. This is the service that organizes the users, computers, and other objects within the Active Directory. An example of the Active Directory is shown in Figure 8-4. Note the list of users (known as objects of the Active Directory) from the Users folder that is highlighted and other folders such as Computers that house other objects.

Figure 8-4. Example of Active Directory Showing User Objects

A Microsoft server that has Active Directory and LDAP running will have inbound port 389 open by default. To protect Active Directory from being tampered with, Secure LDAP can be used, which brings into play SSL (Secure Sockets Layer) on top of LDAP and uses inbound port 636 by default. Other implementations of LDAP use TLS (Transport Layer Security) over LDAP.

Kerberos and Mutual Authentication

Kerberos is an authentication protocol designed at MIT that enables computers to prove their identity to each other in a secure manner. It is used most often in a client-server environment; the client and the server both verify each other’s identity. This is known as two-way authentication or mutual authentication. Often, Kerberos protects a network server from illegitimate login attempts, just as the mythological three-headed guard dog of the same name (also known as Cerberus) guards Hades.

A common implementation of Kerberos occurs when a user logs on to a Microsoft domain. (Of course, I am not saying that Microsoft domains are analogous to Hades!) The domain controller in the Microsoft domain is known as the KDC or key distribution center. This server works with tickets that prove the identity of users. The KDC is composed of two logical parts: the authentication server and the ticket granting server. Basically, a client computer attempts to authenticate itself to the authentication server portion of the KDC. When done, the client receives a ticket. This is actually a ticket to get other tickets. The client uses this preliminary ticket to demonstrate its identity to a ticket granting server in the hopes of ultimately getting access to a service, for example, making a connection to the Active Directory of a domain controller.

The domain controller running Kerberos will have inbound port 88 open to the service log on requests from clients. Figure 8-5 shows a netstat –an command run on a Windows Server 2003 that has been promoted to a domain controller. It points out port 88 (used by Kerberos) and port 389 (used by LDAP) on the same domain controller.

Figure 8-5. Results of the netstat—an Command on a Windows Server 2003

Kerberos is designed to protect against replay attacks and eavesdropping. One of the drawbacks of Kerberos is that it relies on a centralized server such as a domain controller. This can be a single point of failure. To alleviate this problem, secondary and tertiary domain controllers can be installed that keep a copy of the Active Directory and are available with no downtime in the case the first domain controller fails. Another possible issue is one of synchronicity. Time between the clients and the domain controller must be synchronized for Kerberos to work properly. If for some reason a client attempting to connect to a domain controller becomes desynchronized, it cannot complete the Kerberos authentication, and as an end result the user cannot log on to the domain. This can be fixed by logging on to the affected client locally and synchronizing the client’s time to the domain controller by using the net time command. For example, to synchronize to the domain controller in Figure 8-5, the command would be

net time \10.254.254.252 /set.

Afterward, the client should be able to connect to the domain. We revisit Kerberos and how it makes use of encryption keys in Chapter 12.

Terminal Services

Terminal Services enable the remote control of Windows servers from a client computer. This client computer could be on the LAN or out on the Internet; so the term “remote” is used loosely. It can also be used to enable clients access to specific applications.

The Terminal Services application is in charge of authenticating terminal users and will do so if the user has been configured properly. For example, in Windows Server 2003, users in question must have Remote Access permissions enabled within the properties of their account. Terminal Services authentication integrates directly with standard Windows Server authentication.

The terminal server will have inbound port 3389 open to accept connections from remote clients. Their sessions are stored at the terminal server, enabling for disconnections and later reuse. Terminal Services is now referred to as Remote Desktop Services in newer versions of Windows.

Remote Authentication Technologies

Even more important than authenticating local users is authenticating remote users. The chances of illegitimate connections increase when you allow remote users to connect to your network. Examples of remote authentication technologies include RAS, VPN, RADIUS, TACACS, and CHAP. Let’s discuss these now.

Remote Access Service

Remote Access Service (RAS) began as a service that enabled dial-up connections from remote clients. Nowadays, more and more remote connections are made with high-speed Internet technologies such as cable Internet, DSL, and FIOS. But we can’t discount the dial-up connection. It is used in certain areas where other Internet connections are not available and is still used as a fail-safe in many network operation centers and server rooms to take control of networking equipment.

One of the best things you can do to secure a RAS server is to deny access to individuals who don’t require it. Even if the user or user group is set to “not configured,” it is wise to specifically deny them access. Allow access to only those users who need it. And monitor the logs that list who connect on a daily basis. If there are any unknowns, investigate immediately. Be sure to update the permissions list often in the case that a remote user is terminated or otherwise leaves the organization.

The next most important security precaution is to set up RAS authentication. One secure way is to use the challenge-handshake authentication protocol (CHAP)., which is an authentication scheme used by the Point-to-Point Protocol (PPP), which is the standard for dial-up connections. It uses a challenge-response mechanism with one-way encryption. Due to this, it is not capable of mutual authentication in the way that Kerberos is, for example. CHAP uses DES and MD5 encryption types which we cover in Chapter 12. Microsoft developed its own version of CHAP known as MS-CHAP, an example of this is shown in Figure 8-6. The figure shows the Advanced Security Settings dialog box of a dial-up connection. Notice that this particular configuration shows that encryption is required, and that the only protocol allowed is MS-CHAP V2. Of course, the RAS server will have to be configured to accept MS-CHAP connections as well. You also have the option to enable EAP for the dial-up connection. Other RAS authentication protocols include SPAP, which is of lesser security, and PAP, which sends usernames and passwords in clear text—obviously insecure and to be avoided.

Figure 8-6. MS-CHAP Enabled on a Dial-Up Connection

The CHAP authentication scheme consists of several steps. It authenticates a user or a network host to entities such as Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake. The verification is based on a shared secret. After the link has been established, the authenticator sends a challenge message to the peer. The encrypted results are compared, and finally the client is either authorized or denied access.

The actual data transmitted in these RAS connections is encrypted as well. By default Microsoft RAS connections are encrypted by the RSA RC4 algorithm. More information on this can also be found in Chapter 12.

Now you might say, “But Dave, who cares about dial-up connections?” Well, there are two reasons that this is important. First, these protocols, authentication types, and encryption types are used in other technologies; this is the basis for those systems. Second, as I mentioned before, some organizations still use the dial-up connection—for remote users or for administrative purposes. And hey, don’t downplay the dial-up connection. Old-school dial-up guys used to tweak the connection to the point where it was as fast as some DSL versions and as reliable. So there are going to be die-hards out there as well.

However, RAS now has morphed into something that goes beyond just dial-up. VPN connections that use dial-up, cable Internet, DSL, and so on are all considered remote access.

Virtual Private Networks

A virtual private network (VPN) is a connection between two or more computers or devices not on the same private network. Generally, VPNs use the Internet to connect one host to another. It is desirable that only proper users and data sessions make their way to a VPN device; because of this, data encapsulation and encryption are used. A “tunnel’ is created through any LANs and WANs that might intervene; this tunnel connects the two VPN devices together. Every time a new session is initiated, a new tunnel is created, which makes the connection secure.

VPNs normally use one of two tunneling protocols, as shown in Table 8-1.

Table 8-1. VPN Tunneling Protocols

PPTP and L2TP can cause a lot of havoc if the security settings are not configured properly on the client and the server side. This can cause errors; you can find a link to the list of these error codes at the end of the chapter in the “View Recommended Resources” section. We cover PPTP and L2TP encryption in Chapter 13.

Figure 8-7 shows an illustration of a VPN. Note that the VPN server is on one side of the cloud and the VPN client is on the other. It should be known that the VPN client will have a standard IP address to connect to its own LAN. However, it will receive a second IP address from the VPN server or a DHCP device. This second IP address works “inside” of the original IP address. So, the client computer will have two IP addresses; in essence, the VPN address is encapsulated within the logical IP address. As we mentioned before, dial-up authentication protocols such as CHAP are also used in other technologies; this is one of those examples. VPN adapters, regardless of the Internet connection used, can use MS-CHAP, as shown in the figure. To further increase authentication security, a separate RADIUS server can be used with the VPN server—we will talk more about RADIUS in the next section.

Figure 8-7. Illustration of a VPN

A Microsoft VPN can be set up on a standard Windows Server by configuring Routing and Remote Access Service (RRAS). Remote access policies can be created from here that permit or deny access to groups of users for dial-in or VPN connections. An example of this is illustrated in Figure 8-8. Note the Remote Access Policies section within Server2003 in the MMC. By right-clicking this, you can create a new policy. The New Remote Access Policy Wizard window is open and is in the process of creating a policy for VPN connections.

Figure 8-8. A RRAS VPN Policy on a Windows Server 2003

Of course, you can run a VPN locally as well, and some companies do. We do just that in Lab 2 in the “Hands-On Labs” section at the end of the chapter to demonstrate the setup of a working VPN.

RADIUS Versus TACACS

The Remote Authentication Dial-In User Service (RADIUS) provides centralized administration of dial-up, VPN, and wireless authentication and can be used with EAP and 802.1X. To set this up on a Windows Server, the Internet Authentication Service must be loaded; it is usually set up on a separate physical server. RADIUS is a client-server protocol that runs on the Application Layer of the OSI model. RADIUS works with the AAA concept: It is used to authenticate users, authorize them to services, and account for the usage of those services. RADIUS checks if the correct authentication scheme such as CHAP or EAP is used by connecting clients. RADIUS commonly uses port 1812 for authentication messages and port 1813 for accounting messages. These are the ports you should memorize for the exam. In rarer cases, it will use ports 1645 and 1646 for these messages, respectively.

The Terminal Access Controller Access-Control System (TACACS) is one of the most confusing sounding acronyms ever. Now that we have reached the pinnacle of computer acronyms, let’s really discuss what it is. TACACS is another remote authentication protocol used more often in UNIX networks. In UNIX, the TACACS service is known as the TACACS daemon. The newer and more commonly used implementation of TACACS is called TACACS+. It is not backward compatible with TACACS. TACACS+ was developed by Cisco and uses inbound port 49.

There are a few differences between RADIUS and TACACS+. RADIUS uses UDP as its Transport Layer protocol. TACACS+ uses TCP as its Transport Layer protocol, which is usually seen as a more reliable transport protocol. Also, RADIUS combines the authentication and authorization functions together when dealing with users; however, TACACS+ separates these two functions into two separate operations that introduce another layer of security. TACACS encrypts client-server dialogues whereas RADIUS does not. Finally, TACACS+ provides for more types of authentication requests than RADIUS.

Table 8-2 summarizes the local and remote authentication technologies we have covered thus far.

Table 8-2. Summary of Authentication Technologies

Exam Preparation Tasks: Review Key Topics

Review the most important topics in the chapter, noted with the Key Topics icon in the outer margin of the page. Table 8-3 lists a reference of these key topics and the page numbers on which each is found.

Table 8-3. Key Topics for Chapter 8

Complete Tables and Lists from Memory

Print a copy of Appendix A, “Memory Tables,” (found on the DVD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix B, “Memory Tables Answer Key,” also on the DVD, includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

identification,

authentication,

authorization,

identity proofing,

security tokens,

multifactor authentication,

biometrics,

Mantrap,

802.1X,

Extensible Authentication Protocol (EAP),

single sign-on (SSO),

false positive,

false negative,

Lightweight Directory Access Protocol (LDAP),

Kerberos,

mutual authentication,

Tickets,

Challenge-Handshake Authentication Protocol (CHAP),

Remote Access Service (RAS),

virtual private network (VPN),

Point-to-Point Tunneling Protocol (PPTP),

Layer 2 Tunneling Protocol (L2TP),

Remote Authentication Dial-In User Service (RADIUS),

Terminal Access Controller Access-Control System (TACACS)

Hands-On Labs

Complete the following written step-by-step scenarios. After you finish (or if you do not have adequate equipment to complete the scenario), watch the corresponding video solution on the DVD.

If you have additional questions, feel free to post them at my website: www.davidlprowse.com in the Ask Dave forum. (Free registration is required to post on the website.)

Equipment Needed

A computer network including the following:

• Windows client computer (Windows Vista or Windows 7 preferred)

• Windows Server 2003 or 2008

• D-Link DIR-655 or similar router:

• If you have access to an actual DIR-655, make sure that it is updated to the latest firmware. Then connect to it by opening a web browser and typing the IP address of the router in the URL field, for example, 192.168.0.1. Next, at the login screen, type the password for the router, and click the Log In button. This should display the Device Information page. Start at this page for each of the three labs.

• If you do not have access to an actual DIR-655, use the D-Link simulator located at http://support.dlink.com/Emulators/dir655/index.html. Then select the first option: DIR-655 Device UI. Next, at the login screen, click the Log In button. (No password is necessary.) This should display the Device Information page. Start at this page for each of the three labs.

Lab 8-1: Enabling 802.1X on a Network Adapter

In this lab, you turn on the 802.1X feature in Windows Vista. The steps are as follows:

Step 1. Open the Network and Sharing Center.

Step 2. Click the Manage network connections link. This displays the Network Connections window.

Step 3. Right-click the Local Area Connection and select Properties. This displays the Local Area Connection Properties window.

Step 4. Click the Authentication tab.

Step 5. Check the Enable IEEE 802.1X authentication checkbox.

Step 6. Select Microsoft: Protected EAP (PEAP) from the drop-down menu.

Step 7. Explore the additional settings by clicking the Settings button.

Watch the solution video in the “Hands-On Scenarios” section of the DVD.

Lab 8-2: Setting Up a VPN

In this lab, we demonstrate how to set up a VPN using a Windows Server 2008 as the VPN server and a Windows Vista computer as the client. Windows Server 2003 works in a similar fashion. The steps are as follows:

Step 1. Access the server.

Step 2. Open your MMC. If you don’t have one, create one now and add the Server Manager and Computer Management snap-ins.

Step 3. If you use Windows Server 2008, you need to have the Network Policy and Access Services role installed within the Roles section of Server Manager. Windows Server 2003 does not need this.

Step 4. Add the RRAS snap-in.

A. Click File; then click Add/Remove Snap-In.

B. Scroll down to Routing and Remote Access and click Add.

C. Click OK.

Step 5. Add the local server into the RRAS snap-in.

A. Expand the newly added Routing and Remote Access snap-in, right-click Server Status, and click Add Server.

B. Select the This computer radio button and click OK.

Step 6. Configure RRAS.

A. Right-click the server name.

B. Select Configure and Enable Routing and Remote Access.

C. Click Next for the wizard intro.

D. Select the Custom configuration radio button, and click Next.

E. Check VPN access, and click Next.

F. Click Finish.

Step 7. Expand the server. Verify that there is a green arrow pointing up. This indicates that the service is indeed started. If it is not, check the service status within Computer Management.

Step 8. Check the ports used on the server by accessing the Command Prompt and typing netstat –an.

Step 9. Verify that the proper accounts are allowed dial-in and VPN access.

A. Navigate to Computer Management > System Tools > Local Users and Groups > Users.

B. Right-click the Administrator account, and select Properties. You can use another account (or accounts) if you want. Just remember to connect as that account from the VPN client later.

C. Click the Dial-in tab.

D. Select the Allow Access radio button and click OK. Do this for any other accounts that you want to have access to the VPN server.

Step 10. Configure the VPN adapter on Windows Vista. (Other operating systems such as Windows 7 will be similar in navigation and configuration.)

A. Access the Network and Sharing Center.

B. Click the Set up a connection or network link.

C. Select Connect to a workplace and click Next.

D. Select Use my Internet connection (VPN).

E. Type the IP address of the VPN server in the Internet address: field. For example, 10.254.254.252.

G. Type the username and password of the account on the VPN server that has VPN access enabled. Then click Connect.

F. Give a name to the VPN connection in the Destination name: field and click Next.

Step 11. Check the VPN adapter’s IP configuration by accessing the Command Prompt and typing ipconfig/all. Note the VPN adapter IP address and the Local Area Connection IP address.

Keep the VPN adapter so that you can use it in Lab 3.

Watch the solution video in the “Hands-On Scenarios” section of the DVD.

Lab 8-3: Setting Up a RADIUS Server

In this lab, we demonstrate how to set up a RADIUS server using a Windows Server 2003. We also show how to point to a RADIUS server from a SOHO 4-port router. Finally, we show some different authentication techniques on the server and the client side. The steps are as follows:

Step 1. Access the server and install the Internet Authentication Service.

A. Click Start > Control Panel > Add or Remove Programs.

B. Click Add/Remove Windows Components.

C. Scroll down to Networking Services and click Details.

D. Check Internet Authentication Service and click OK.

E. Click Next. This installs the service. Click Finish when complete.

Step 2. Open the MMC and add the Internet Authentication Service snap-in.

Step 3. Add a RADIUS client.

A. Expand the Internet Authentication Service snap-in, right-click RADIUS Clients and click New RADIUS client.

B. Type a friendly name for the client and the IP address of the computer that will be connecting to the RADIUS server. Then click Next.

C. Select RADIUS Standard for the client-vendor attribute.

D. Create a pass-phrase and confirm it. Click Finish.

Step 4. Create a Remote Access Policy.

A. Right-click Remote Access Policies and select New Remote Access Policy.

B. Click Next for the wizard.

C. Use the wizard to set up the policy and name the policy. Then click Next.

D. Select the VPN radio button. Then click Next.

E. Select the User radio button. Then click Next.

F. Checkmark the Extensible Authentication Protocol (EAP) and select Protected EAP (PEAP) as the type. Then click Next.

G. Leave the default encryption options. Then click Next.

H. Click Finish to complete the configuration.

Step 5. Configure the Windows Vista client.

A. Right-click the client computer’s VPN adapter and select Properties.

B. Click the Security tab.

C. Select the Advanced (custom settings) radio button. Then click the Settings button.

D. Click the Use Extensible Authentication Protocol (EAP).

E. Click the drop-down menu, and select Protected EAP (PEAP).

F. Click OK for all dialog boxes.

Step 6. Configure a SOHO 4-port router to point to a VPN server and a RADIUS server.

A. Log in to the DIR-655 router. If you do not have an actual device, use the emulator online at the link given in the beginning of this lab document.

B. Click the SETUP link.

C. Click the Manual Internet Connection Setup button.

D. In the My Internet Connection Is drop down menu, select PPTP.

E. Add the IP address of the VPN server in the PPTP Server IP Address field.

F. Click the SETUP link.

G. Click the Wireless Settings link on the left side.

H. Click the Manual Wireless Network Setup button.

I. Enable wireless.

J. Scroll down, and in the Security Mode drop-down menu, select WPA-Enterprise.

K. Scroll down further, and type the IP address of the RADIUS server into the RADIUS Server IP Address field.

L. Check the port used. By default, this is 1812. but if the server is using a different port, you have to change it.

Watch the solution video in the “Hands-On Scenarios” section of the DVD.

View Recommended Resources

Recommended reading:

• Harper, Jim. “Identity Crisis: How Identification is Overused and Misunderstood.” Cato Institute 2006.

Internet links:

• HID Door Access Control Systems: www.hidglobal.com/products/readers.php

802.1X links:

• Official IEEE 802.1X PDF download: http://standards.ieee.org/getieee802/download/802.1X-2004.pdf

• Intel: Wireless Networking 802.1X Overview: www.intel.com/support/wireless/wlan/sb/cs-008413.htm

• Cisco: Deploying 802.1X Technology with Cisco Integrated Service Routers: www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_white_paper0900aecd806c6d65.html

• Open1X: http://open1x.sourceforge.net/

LDAP links:

• IETF Technical Specifications: http://tools.ietf.org/html/rfc4510

• Open LDAP: www.openldap.org/

• Microsoft: How to enable LDAP over SSL: http://support.microsoft.com/kb/321051

Kerberos links:

• Kerberos Explained: http://technet.microsoft.com/en-us/library/bb742516.aspx

• Kerberos: The Network Authentication Protocol: http://web.mit.edu/Kerberos/

• Kerberos Consortium: www.kerberos.org/

RAS links:

• RAS Security: http://technet.microsoft.com/en-us/library/cc751466.aspx

• How to Enforce a Remote Access Policy in Windows Server: http://support.microsoft.com/kb/313082

• List of Microsoft dial-up and VPN error codes: http://support.microsoft.com/kb/824864

RADIUS and TACACS links:

• Microsoft RADIUS Protocol Security and Best Practices: http://technet.microsoft.com/en-us/library/bb742489.aspx

• Free GNU RADIUS: www.gnu.org/software/radius/

• http://freeradius.org/

• TACACS+ and RADIUS Comparison: www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

Answer Review Questions

Answer the following review questions. You can find the answers at the end of this chapter.

1. Which of the following is the verification of a person’s identity?

A. Authorization

B. Accountability

C. Authentication

D. Password

2. Which of the following would fall into the category of “something a person is”?

A. Passwords

B. Passphrases

C. Fingerprints

D. Smart Cards

3. Which of the following are good practices for tracking user identities? (Select the two best answers.)

A. Video cameras

B. Key card door access systems

C. Sign-in sheets

D. Security guards

4. What are two examples of common single sign-on authentication configurations? (Select the two best answers.)

A. Biometrics-based

B. Multifactor authentication

C. Kerberos-based

D. Smart card-based

5. Which of the following is an example of two factor authentication?

A. L2TP and IPSec

B. Username and password

C. Thumb print and key card

D. Client and server

6. What is the main purpose of a physical access log?

A. To enable authorized employee access

B. To show who exited the facility

C. To show who entered the facility

D. To prevent unauthorized employee access

7. Which of the following is not a common criteria when authenticating users?

A. Something you do

B. Something you are

C. Something you know

D. Something you like

8. Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.)

A. Smartcard

B. Certificate

C. USB flash drive

D. Username and password

9. Which of the following is the final step a user needs to take before that user can access domain resources?

A. Verification

B. Validation

C. Authorization

D. Authentication

10. To gain access to your network, users must provide a thumbprint and a username and password. What type of authentication model is this?

A. Biometrics

B. Domain logon

C. Multifactor

D. Single sign-on

11. The IT director has asked you to set up an authentication model in which users can enter their credentials one time, yet still access multiple server resources. What type of authentication model should you implement?

A. Smartcard and biometrics

B. Three factor authentication

C. SSO

D. VPN

12. Which of the following about authentication is false?

A. RADIUS is a client/server system that provides authentication, authorization, and accounting services.

B. PAP is insecure because usernames and passwords are sent as clear text.

C. MS-CHAPv1 is capable of mutual authentication of the client and server.

D. CHAP is more secure than PAP because it encrypts usernames and passwords.

13. What types of technologies are used by external motion detectors? (Select the two best answers.)

A. Infrared

B. RFID

C. Gamma rays

D. Ultrasonic

14. In a secure environment, which authentication mechanism performs better?

A. RADIUS because it is a remote access authentication service.

B. RADIUS because it encrypts client/server passwords.

C. TACACS because it is a remote access authentication service.

D. TACACS because it encrypts client/server negotiation dialogues.

15. Which port number does the protocol LDAP use when it is secured?

A. 389

B. 443

C. 636

D. 3389

16. Which of the following results occurs when a biometric system identifies a legitimate user as unauthorized?

A. False rejection

B. False positive

C. False negative

D. False exception

17. Of the following, which is not a logical method of access control?

A. Username/password

B. Access control lists

C. Biometrics

D. Software-based policy

18. Which of the following permits or denies access to resources through the use of ports?

A. Hub

B. 802.11n

C. 802.11x

D. 802.1X

19. Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.)

A. A software-based token system

B. Access control lists

C. A man trap

D. Biometrics

20. Which authentication method completes the following in order: Logon request, encrypts value response, server, challenge, compare encrypts results, and authorize or fail referred to?

A. Security tokens

B. Certificates

C. Kerberos

D. CHAP

21. What does a virtual private network use to connect one remote host to another? (Select the best answer.)

A. Modem

B. Network adapter

C. Internet

D. Cell phone

22. Two items are needed before a user can be given access to the network. What are these two items? (Select the two best answers.)

A. Authentication and authorization

B. Authorization and identification

C. Identification and authentication

D. Password and authentication

23. Kerberos uses which of the following? (Select the two best answers.)

A. Ticket distribution service

B. The Faraday cage

C. Port 389

D. Authentication service

24. Which of the following authentication systems make use of a Key Distribution Center?

A. Security tokens

B. CHAP

C. Kerberos

D. Certificates

25. Of the following, which best describes the difference between RADIUS and TACACS?

A. RADIUS is a remote access authentication service.

B. RADIUS separates authentication, authorization, and auditing capabilities.

C. TACACS is a remote access authentication service.

D. TACACS separates authentication, authorization, and auditing capabilities.

Answers and Explanations

1. C. Authentication is the verification of a person’s identity. Authorization to specific resources cannot be accomplished without previous authentication of the user.

2. C. Fingerprints are an example of something a person is. The process of measuring that characteristic is known as biometrics.

3. A and B. Video cameras enable a person to view and visually identify users as they enter and traverse through a building. Key card access systems can be configured to identify a person as well, as long as the right person is carrying the key card!

4. C and D. Kerberos and smart card setups are common single sign-on configurations.

5. C. Two-factor authentication (or dual-factor) means that two pieces of identity are needed prior to authentication. A thumb print and key card would fall into this category. L2TP and IPSec are protocols used to connect through a VPN, which by default require only a username and password. Username and password is considered one-factor authentication. There is no client and server authentication model.

6. C. A physical access log’s main purpose is to show who entered the facility and when. Different access control and authentication models will be used to permit or prevent employee access.

7. D. Common criteria when authenticating users includes something you do, something you are, something you know, and something you have. A person’s likes and dislikes are not common criteria; although, they may be asked as secondary questions when logging into a system.

8. A and C. Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and card keys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/password mechanism is a common authentication scheme but they are something that you type and not something that you physically possess.

9. C. Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated.

10. C. Multifactor authentication means that the user must provide two different types of identification. The thumbprint is an example of biometrics. Username and password are example of a domain logon. Single sign-on would only be one type of authentication that enables the user access to multiple resources.

11. C. Single sign-on or SSO enables users to access multiple servers and multiple resources while entering their credentials only once. The type of authentication can vary but will generally be a username and password. Smart cards and biometrics as an example of two-factor authentication. VPN is short for virtual private network.

12. C. MS-CHAPv1 is not capable of mutual authentication of the client and server. Mutual authentication is accomplished with Kerberos. All the other statements are true.

13. A and D. Motion detectors often use infrared technology; heat would set them off. They also use ultrasonic technology; sounds in higher spectrums that humans cannot hear would set these detectors off.

14. D. Unlike RADIUS, TACACS (Terminal Access Control or Access Control System) encrypts client/server negotiation dialogues. Both protocols are remote authentication protocols.

15. C. Port 636 is the port used to secure LDAP. Port 389 is the standard LDAP port number. Port 443 is used by HTTPS (SSL/TLS), and Port 3389 is used by RDP.

16. C. False rejection happens when a biometric system fails to identify a legitimate user. A false positive is a Type I error, which rejects a null hypothesis when it is actually true. A false negative is a Type II error, which rejects a null hypothesis when it is not true. False exceptions have to do with software that has failed and needs to be debugged.

17. C. The only answer that is not a logical method of access control is biometrics. Biometrics deals with the physical attributes of a person and is the most tangible of the answers. All the rest deal with software, so they are logical methods.

18. D. 802.1X permits or denies access to resources through the use of ports. It implements port-based Network Access Control or PNAC. This is part of the 802.1 group of IEEE protocols. 802.1X should not be confused with 802.11x, which is an informal term used to denote any of the 802.11 standards including 802.11b, 802.11g, and 802.11n. A hub connects computers by way of physical ports but does not permit or deny access to any particular resources; it is a simple physical connector of computers.

19. C and D. A man trap is a device made to capture a person. It is usually an area with two doorways, the first of which leads to the outside and locks when the person enters, the second of which leads to the secure area and is locked until the person is granted access. Biometrics can help in the granting of this access by authenticating the user in a secure way, such as thumb print, retina scan, and so on. Software-based token systems and access control lists are both logical and do not play into physical security.

20. D. CHAP, the Challenge Handshake Authentication Protocol, authenticates a user or a network host to entities like Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake; the verification is based on a shared secret. After a link has been established, the authenticator sends a challenge message to the peer; this does not happen in the other three authentication methods listed.

21. C. The Internet is used to connect hosts to each other in virtual private networks. A particular computer will probably also use a VPN adapter and/or a network adapter. Modems are generally used in dial-up connections and not used in VPNs.

22. C. Before users can be given access to the network, the network needs to identify them and authenticate them. Later users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method.

23. A and D. Kerberos uses a ticket distribution service and an authentication service. This is provided by the Key Distribution Center. A Faraday cage is used to block data emanations. Port 389 is used by LDAP. One of the more common ports that Kerberos uses is port 88.

24. C. Kerberos uses a KDC or Key Distribution Center to centralize the distribution of certificate keys and keep a list of revoked keys.

25. D. Unlike RADIUS, TACACS separates authentication, authorization, and auditing capabilities. The other three answers are incorrect and are not differences between RADIUS and TACACS.