pace-it: network hardening techniques (part 3)

Network hardening techniques III.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications

PC Hardware

Network Administration

IT Project Management

Network Design

User Training

IT Troubleshooting

Qualifications Summary

Education

M.B.A., IT Management, Western Governor’s University

B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions.

Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.


– User authentication.

– Authentication and authorization methods.

PACE-IT.

User authentication.Network hardening techniques III.

User authentication.

Hardening the network will not do any good if there is poor authentication of the users and devices that are allowed on the network.

The process of proving that you are who you are (if you are a person) or that it is what it is (if it is a device) is called authentication. Authentication is different than authorization—what you are allowed to do after you have been authenticated.

There are several different ways in which users can be authenticated and there are several different methods in which authentication can be implemented.



– Basic authentication.» There are three basic factors of authenticating users.

• By what they know—this is the username and password method.

• By what they are—this is commonly implemented through biometrics.

• By what they have—this is commonly implemented through the use of a security token.

– Multifactor authentication.» Requiring the use of more than one of the factors of

authentication (e.g., requiring a password and a fingerprint scan or the code from a security token and a password).

• Multifactor authentication is used to increase the security of the authentication process.

– Single sign-on.» A process in which the user only has to provide

authentication once, via a single smart device, rather than having to authenticate for each and every network resource request.


Authentication and authorization methods.Network hardening techniques III.

Authentication and authorization methods.

– PAP (Password Authentication Protocol).

» When logging into a network resource, the user or device is required to supply a username and password.

• The username and password are sent in clear text format, so this method is considered unsecure and should only be used as a last resort.

– CHAP (Challenge Handshake Authentication Protocol).

» When logging into a network resource, the user or device is challenged to supply a username and secret password and it authenticates through a 3-way handshake process:

• The resource issues a challenge—what is the hashed value of the username and secret password?

• The user’s device sends the hashed values to the resource device.

• The resource evaluates the hashed values and either accepts or rejects the connection.



– MS-CHAP (Microsoft CHAP).» Functionally the same as CHAP, but is proprietary to

Microsoft systems.

– EAP (Extensible Authentication Protocol).

» It is not a single protocol on its own, but is a set of additional authentication methods used by remote access clients.

• Currently, there are more than 100 different methods defined by EAP specifications.

• Kerberos is one of the defined specifications of EAP.



– Kerberos.» Authentication protocol, which uses TCP or UDP port 88

by default.» A system of authentication and authorization that

works well in environments that have a lot of clients.» The Key Distribution Center (KDC) is the main

component.» The KDC has two parts—the authentication server (AS)

and the Ticket-Granting Service (TGS).» When a user logs in, a hash of his or her username and

password is sent to the AS; if the AS likes the hash, it responds with a ticket granting ticket (TGT) and a timestamp.

» The client sends the TGT with timestamp to the TGS.» The TGS responds with a service ticket (can also be

called an access token or just a token).» The service ticket (token) authorizes the user to access

specific resources.» As long as the TGT is still valid, the TGS will grant

authorization by issuing a new service ticket.


What was covered.Network hardening techniques III.

Authentication—proving who you are—can be done in several different ways: by what you know (e.g., username and password), by what you are (e.g., fingerprint or retinal scan), or by what you have (e.g., a security token). These factors can be used in combination to increase security. Single sign-on is a process in which the user is authenticated once for all network resources by using a single smart device.

Topic


Summary

Authentication and authorization to network resources can be done in multiple ways, including PAP, CHAP, MS-CHAP, and EAP. In actuality, EAP is a specification that details over 100 separate methods that can be used to authenticate and authorize remote users. Kerberos is one of the methods specified by EAP.


THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.

PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.

pace-it: network hardening techniques (part 3)

Education

user authentication

authentication process

network hardening techniques

basic authentication

factors of authentication

multifactor authentication

poor authentication

network resource request