Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Computer Security - CCNA Security - Lecture 2

630 views

Published on

We will discuss the following: Classical Security Methods, AAA, Authentication, Authorization, Accounting, AAA Characteristic, Local Based AAA, Server Based AAA, TACACS+ and RADIUS.

Published in: Education
  • Be the first to comment

Computer Security - CCNA Security - Lecture 2

  1. 1. CCNA Security AAA
  2. 2. CCNA Security Chapter 1: Modern Network Security Threats Chapter 2: Securing Network Devices Chapter 3: Authentication, Authorization, and Accounting Chapter 4: Implementing Firewall Technologies Chapter 5: Implementing Intrusion Prevention Chapter 6: Securing the Local-Area Network Chapter 7: Cryptographic Systems Chapter 8: Implementing Virtual Private Networks Chapter 9: Implementing the Cisco Adaptive Security Appliance Chapter 10: Advanced Cisco Adaptive Security Appliance Chapter 11: Managing a Secure Network
  3. 3. CCNA Security
  4. 4. CCNA Security Classical Security Methods
  5. 5. CCNA Security  Uses a login and password combination on access lines  Easiest to implement, but most unsecure method  Vulnerable to brute-force attacks  Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
  6. 6. CCNA Security  Creates individual user account/password on each device  Provides accountability  User accounts must be configured locally on each device  Provides no fallback authentication method Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
  7. 7. CCNA Security AAA
  8. 8. CCNA Security Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary. These combined processes are considered important for effective network management and security.
  9. 9. CCNA Security AAA Authentication Authorization Accounting
  10. 10. CCNA Security Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
  11. 11. CCNA Security Authentication
  12. 12. CCNA Security  Authentication is the process that determines whether a client (a person, a device, or a software process) is a legal or valid user of the system. Cisco provides two common methods of implementing AAA services:  Local AAA Authentication  Server-Based AAA Authentication
  13. 13. CCNA Security Local AAA uses a local database for authentication. This method is sometimes known as self-contained authentication.
  14. 14. CCNA Security 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA RouterRemote Client 1 2 3
  15. 15. CCNA Security Server-based method, uses a server database for authentication. The router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS).
  16. 16. CCNA Security 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
  17. 17. CCNA Security Authorization
  18. 18. CCNA Security  After the user is authenticated, Authorization is the process that determines which resources the user can access and which operations the user is allowed to perform.
  19. 19. CCNA Security 1.When a user has been authenticated, a session is established with an AAA server. 2.The router requests authorization for the requested service from the AAA server. 3.The AAA server returns a PASS/FAIL for authorization.
  20. 20. CCNA Security Accounting
  21. 21. CCNA Security  Accounting is the process of monitoring and recording a client's use of the network. Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.
  22. 22. CCNA Security 1.When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2.When the user finishes, a stop message is recorded ending the accounting process.
  23. 23. CCNA Security
  24. 24. CCNA Security Local Based AAA
  25. 25. CCNA Security Local AAA Authentication should be configured for smaller networks. Smaller networks are those networks that have one or two routers that provide access to a limited number of users. This method uses the local usernames and passwords stored on a router.
  26. 26. CCNA Security Configuring local AAA services to authenticate administrator access requires a few basic steps: 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration
  27. 27. CCNA Security R1 R2 R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  28. 28. CCNA Security The AAA authentication login command in the figure allows the ADMIN and JR-ADMIN users to log into the router via the console or vty terminal lines. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd
  29. 29. CCNA Security To enable AAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
  30. 30. CCNA Security The default keyword means that the authentication method applies to all lines, except those for which a specific line configuration overrides the default. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  31. 31. CCNA Security The authentication is case-sensitive, indicated by the local- case keyword. This means that both the password and the username are case sensitive. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  32. 32. CCNA Security Server Based AAA
  33. 33. CCNA Security Most corporate environments have multiple Cisco routers, switches, and other infrastructure devices, multiple router administrators, and hundreds or thousands of users needing access to the corporate LAN. Local implementations of AAA are acceptable in very small networks. However, local authentication does not scale well.
  34. 34. CCNA Security R2 R3 R1 Cisco Secure ACS Server Based AAA
  35. 35. CCNA Security 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4
  36. 36. CCNA Security The Cisco Secure Access Control System (ACS) is a centralized solution that ties together an enterprise’s network access policy and identity strategy. Cisco Secure ACS supports both TACACS+ and RADIUS protocols
  37. 37. CCNA Security TACACS+ and RADIUS are both authentication protocols that are used to communicate with AAA servers. While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol.
  38. 38. CCNA Security Protocol TACACS+ RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Protocol Support Multiprotocol support Not support Multiprotocol Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis
  39. 39. CCNA Security RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. RADIUS is widely used by VoIP service providers.
  40. 40. CCNA Security  Works in both local and roaming situations  Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0r d Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
  41. 41. CCNA Security TACACS+ is a Cisco enhancement to the original TACACS protocol. TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.
  42. 42. CCNA Security Provides separate AAA services Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
  43. 43. CCNA Security  Step 1. Globally enable AAA to allow the use of all AAA elements.  Step 2. Specify the AAA Server (ex. Cisco Secure ACS) that will provide AAA services for the router.  Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server.  Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.
  44. 44. CCNA Security To enable AAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
  45. 45. CCNA Security To configure a RADIUS server, use the radius server name command. This puts you into radius server configuration mode. R1(config)# radius server Server-R
  46. 46. CCNA Security RADIUS protocol has reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port. R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
  47. 47. CCNA Security  To configure the shared secret key for encrypting the password, use the key command. This key must be configured exactly the same way on the router and the RADIUS server. R1(config)# key RADIUS-Pa55w0rd
  48. 48. CCNA Security R1(config)# aaa new-model R1(config)# radius server Server-R R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 R1(config)# key RADIUS-Pa55w0rd R1(config)# exit
  49. 49. CCNA Security How to Configure Server-Based AAA Authentication Using TACACS+ ?
  50. 50. CCNA Security  Use MS Word  Send me mail to mloey@live.com with email subject “AAA“  Put your name on Arabic with department and section on word and email body  Finally, press Send  Deadline Next Lecture
  51. 51. CCNA Security facebook.com/mloey mohamedloey@gmail.com twitter.com/mloey linkedin.com/in/mloey mloey@fci.bu.edu.eg mloey.github.io
  52. 52. CCNA Security www.YourCompany.com © 2020 Companyname PowerPoint Business Theme. All Rights Reserved. THANKS FOR YOUR TIME

×