Chapter 11

Authentication and Remote

Access
 Learning Objectives
■ Identify the differences among user, group, and role management
■ Implement account policies
■ Explain authentication methods and the security implications in their use
■ Examine the use of biometrics technology for authentication
■ Discuss the methods and protocols for remote access to networks
■ Differentiate between authentication, authorization, and accounting (AAA)
■ Identify different authentication protocols.
Introduction
• How does the computer system know which users should have access to
what data?
• How does the operating system know what applications a user is allowed
to use?
• There are three steps in the establishment of proper privileges;
authentication, authorization, and accounting. These terms are commonly
combined and simply referred to as AAA.
• Authentication: is the process of verifying an identity previously
established in a computer system.
• Authentication is commonly performed by matching a set of user-supplied
credentials to previously stored credentials on a host machine (for
example, an account username and password).
• Once the user is authenticated, the authorization step takes place.
 User, Group, and Role Management
✓To manage the privileges of many different people effectively on the same
system, a mechanism for separating people into distinct entities (that is,
users) is required, so
✓you can control access on an individual level.
✓ At the same time, it’s convenient and efficient to be able to lump users
together when granting many different people (that is, groups) access to a
resource at the same time.
✓ At other times, it’s useful to be able to grant or restrict access based on a
person’s job or function within the organization (that is, roles).
✓While you can manage privileges on the basis of users alone, managing
user, group, and role assignments together is far more convenient and
efficient.
 User, Group, and Role Management-Cont.
User:
• The term User generally applies to any person accessing a computer system.
• Each user is generally given a username—a unique alphanumeric identifier they
will use to identify themselves when logging in to or accessing the system.
• Usernames must be unique to each user, but they must also be fairly easy for the
user to remember and use.
• Once the account is created and a username is selected, the administrator can
assign specific permissions to that user.
• Permissions: control what the user is allowed to do with objects on the system—
which files they may access, which programs they may execute, and so on.
 User, Group, and Role Management (Cont.)
Group:
• Under privilege management, a group is a collection of users with some
common criteria, such as a need for access to a particular data set or group
of applications.
• A group can consist of one user or hundreds of users, and each user can
belong to one or more groups.
• By assigning membership in a specific group to a user, you make it much
easier to control that user’s access and privileges.
• Administrators group has complete and unrestricted access to the system.
This includes access to all files, applications, and data sets.
• Some operating systems, such as Windows, have built-in groups— groups
that are already defined within the operating system, such as
Administrators, Power Users, and Everyone.
 User, Group, and Role Management (Cont.)
Role:
• A role is usually synonymous with a job or set of functions.
Example:
• The role of security admin in Microsoft SQL Server may be applied to someone who
is responsible for creating and managing logins, reading error logs, and auditing the
application.
• Security admins need to accomplish specific functions and need access to certain
resources that other users do not—for example, they need to be able to create and
delete logins, open and read error logs, and so on.
• In general, anyone serving in the role of security admin needs the same rights and
privileges as every other security admin.
• For simplicity and efficiency, rights and privileges can be assigned to the role security
admin, and anyone assigned to fulfill that role automatically has the correct rights
and privileges to perform the required tasks.
 Account Policies
• One of the key elements to guide security professionals in daily tasks is a
good set of policies.
• Password policies are sets of rules that help users select, employ, and
store strong passwords.
• Tokens combine “something you have” with “something you know,” such
as a password or PIN, and can be hardware or software based.
• Passwords need to be strong enough to resist attack, and yet not too
difficult for users to remember.
• Passwords should have a limited span and should expire on a scheduled
basis.
 Authorization
• Once identity is confirmed via authentication, specific actions can be
authorized or denied.
• Authorization is the process of permitting or denying access to a specific
resource.
• Accounting is the process of ascribing resource usage by account for the
purpose of tracking resource utilization.
• Accounting can include the collection of billing and other detail records.
• Network access is often a billable function, and a log of how much time,
bandwidth, file transfer space, or other resources were used needs to be
maintained.
• Other accounting functions include keeping detailed security logs to
maintain an audit trail of tasks being performed.
 Access Control
• The term access control has been used to describe a variety of protection
schemes.
• It sometimes refers to all security features used to prevent unauthorized
access to a computer system or network—or even a network resource such
as a printer.
- In this sense, it may be confused with authentication.
• More properly, access is the ability of a subject (such as an individual or a
process running on a computer system) to interact with an object (such as a
file or hardware device).
• Once the individual has verified their identity, access controls regulate what
the individual can actually do on the system.
• Just because a person is granted entry to the system does not mean they
should have access to all the data the system contains.
 Access Control Vs. Authentication
• It may seem that access control and authentication are two ways to
describe the same protection mechanism.
• This, however, is not the case.
• Authentication provides a way to verify to the computer who the user is.
• Once the user has been authenticated, the access controls decide what
operations the user can perform.
• The two go hand-in-hand but are not the same thing.
 Identity
• Identification is the process of ascribing a computer ID to a specific user,
computer, network device, or computer process.
• The identification process is typically performed only once, when a user ID
is issued to a particular user.
• User identification enables authentication and authorization to form the
basis for accountability.
• For accountability purposes, user IDs should not be shared, and for security
purposes, they should not be descriptive of job function.
• Identification links the logon ID or user ID to credentials that have been
submitted previously to either HR or the IT staff.
• The user IDs must be unique so that they map back to the credentials
presented when the account was established.
 Authentication
• Authentication is the process of verifying an identity previously established in a
computer system.
• Authentication is the process of binding a specific ID to a specific computer
connection.
• Two items need to be presented to cause this binding to occur— the user ID and
some “secret” to prove that the user is the valid possessor of the credentials.
• Four categories of secrets are used to authenticate the identity of a user:
• what users know: involves the use of a password.
• what users have: involves the use of something that only valid users should have in their
possession (e.g., token, simple lock and key).
• what users are: involves something that is unique about you (refers to a biometric, such as
fingerprint and DNA sample).
• what users do: based on how users perform an action, such as their walking gait or their
typing patterns.
 Biometric Factors
• Biometrics factors use the measurements of certain biological features to identify
one specific person from other people.
• These factors are based on parts of the human body that are unique.
• Biometric factors include:
• Fingerprint scanners: are used to measure the unique shape of fingerprints and then change
them to a series of numerical values, or a template.
• Retinal scanners: examine blood vessel patterns in the back of the eye.
• Iris scanners: use an image of a unique biological measurement (in this case, the
pigmentation associated with the iris of the eye).
• Voice recognition: is the use of unique tonal qualities and speech patterns to identify a
person.
• Facial recognition: was mostly the stuff of sci-fi until it was integrated into various mobile
phones. A sensor that recognizes when you move the phone into a position to see your face.
• Vein: is the use of blood vein patterns to identify a user.
• Gait analysis: is the measurement of the pattern expressed by a person as they walk.
 Multifactor Authentication
• Multifactor authentication (or multiple-factor authentication) is simply the
combination of two or more types of authentication.
• Five broad categories of authentication can be used:
• what you are (for example, biometrics),
• what you have (for instance, tokens),
• what you know (passwords and other information),
• somewhere you are (location), and
• something you do (physical performance).
• Two-factor authentication combines any two of these before granting access.
An example would be a card reader that then turns on a fingerprint scanner—if
your fingerprint matches the one on file for the card, you are granted access.
• Three-factor authentication would combine all three types, such as a smart card
reader that asks for a PIN before enabling a retina scanner. If all three
correspond to a valid user in the computer database, access is granted.
 Multifactor Authentication Advantages
• Multifactor authentication methods greatly enhance security by making it
very difficult for an attacker to obtain all the correct materials for
authentication.
• They also protect against the risk of stolen tokens, as the attacker must
have the correct biometric, password, or both.
• More important, multifactor authentication enhances the security of
biometric systems by protecting against a stolen biometric. Changing the
token makes the biometric useless unless the attacker can steal the new
token.
• It also reduces false positives by trying to match the supplied biometric
with the one that is associated with the supplied token. This prevents the
computer from seeking a match using the entire database of biometrics.
• Using multiple factors is one of the best ways to ensure proper
authentication and access control.
 Remote Access
The process of connecting by remote access involves two elements:
• A temporary network connection.
➢ can occur via a dial-up service, the Internet, wireless access, or any other method of
connecting to a network
• A series of protocols to negotiate privileges and commands.
➢The identity of the user and establishing proper privileges for that user is
accomplished using a combination of protocols and the operating system on the host
machine.
• Access controls define what actions a user can perform or what objects a user is allowed
to access.
• Access controls are built on the foundation of elements designed to facilitate the
matching of a user to a process. These elements are identification, authentication, and
authorization
 Authentication Protocols
• Tunneling: Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling
Protocol (PPTP) are both OSI Layer 2 tunneling protocols. Tunneling is the
encapsulation of one packet within another, which allows you to hide the
original packet from view or change the nature of the network transport.
• L2TP: Layer 2 Tunneling Protocol (L2TP) is also an Internet standard which is
designed for use across all kinds of networks, including ATM and Frame
Relay.
• PP2P: Point-to-Point Tunneling Protocol (PPTP) is a network protocol that
enables the secure transfer of data from a remote PC to a server by creating
a VPN across a TCP/IP network. This remote network connection can also
span a public switched telephone network (PSTN).
 Authentication Protocols (Cont.)
• PPP: Point-to-Point Protocol (PPP) is an older, still widely used protocol for
establishing dial-in connections over serial lines or Integrated Services
Digital Network (ISDN) services. PPP has several authentication
mechanisms, including PAP, CHAP, and the Extensible Authentication
Protocol (EAP).
• PAP: Password Authentication Protocol (PAP) involves a two-way
handshake in which the username and password are sent across the link in
cleartext. PAP authentication does not provide any protection against
playback and line sniffing.
• EAP: Extensible Authentication Protocol (EAP) is a universal authentication
framework that is frequently used in wireless networks and point-to-point
connections. Although EAP is not limited to wireless and can be used for
wired authentication, it is most often used in wireless LANs.
 Authentication Protocols (Cont.)
• CHAP: Challenge-Handshake Authentication Protocol (CHAP) is used
to provide authentication across a point-to-point link using PPP. In
this protocol, authentication after the link has been established is not
mandatory. CHAP is designed to provide authentication periodically
through the use of a challenge/response system that is sometimes
described as a three-way handshake,
 Authentication Protocols (Cont.)
• SSH: Secure Shell (SSH) is a protocol series designed to facilitate secure
network functions across an insecure network. SSH provides direct
support for secure remote login, secure file transfer, and secure
forwarding of TCP/IP and X Window System traffic. An SSH connection is
an encrypted channel, providing for confidentiality and integrity
protection.
• FTP: File Transfer Protocol (FTP) is a plaintext protocol that operates by
communicating over TCP between a client and a server. It is one of the
methods used to transfer files between machines.
• FTPS: is the use of FTP over an SSL/TLS secured channel.
• SFTP: Secure FTP is running FTP over SSH, as later versions of SSH allow
securing of channels such as the FTP control channel.
 Vulnerabilities of Remote Access Methods
• The primary vulnerability associated with many of these methods of remote access is the passing
of critical data in cleartext. Plaintext passing of passwords provides no security if the password is
sniffed, and sniffers are easy to use on a network. Even plaintext passing of user IDs gives away
information that can be correlated and possibly used by an attacker.
• Plaintext credential passing is one of the fundamental flaws with Telnet and is why SSH was
developed.
• The strength of the encryption algorithm is also a concern. Should a specific algorithm or method
prove to be vulnerable, services that rely solely on it are also vulnerable.
• To get around this dependency, many of the protocols allow numerous encryption methods
so that, should one prove vulnerable, a shift to another restores security.
• As with any software implementation, there always exists the possibility that a bug could open
the system to attack.
• Bugs have been corrected in most software packages to close holes that made systems
vulnerable, and remote access functionality is no exception.