Read 08 301 - jserpa-p/lisbon-ops-301n1_Reading GitHub Wiki

NAC (Network Access Control) | AAA (Authentication, Authorization and Accounting)

In order to other people not getting remote access to to a router or a device, a framework called AAA is used to provide that extra level of security.

AAA (Authentication, Authorization, Accounting)

AAA is a standard-based framework used to control who is permitted to use network resources (through authentication), what they are authorized to do (through authorization), and capture the actions performed while accessing the network (through accounting).

AAA implementation: AAA can be implemented by using the local database of the device or by using an external ACS server.

  • Local Database - Firstly we need to create users for authentication and provide privilege levels to users for Authorization.

  • ACS Server - The configuration includes creating a user, separate customized method list for authentication, Authorization, and Accounting. The client or Network Access Server (NAS) sends authentication requests to the ACS server and the server takes the decision to allow the user to access the network resource or not according to the credentials provided by the user.

RADIUS Concepts

How things work in RADIUS

The client sends the server a RADIUS authentication request. You don't decide what's in the request, the client does. The server doesn't decide what's in the request, the client does. The client is 100% responsible for everything in the request.

Picking an Auth-Type - authorize {}

  1. The radius server looks at the request and sees if it can deal with it (The answer to that depends on what authentication types you have enabled in the server, what the server can look up in a database, and what is in the request.)
  2. The server will then start querying the modules in the authorize section (Can you handle a Unix module, or a Pap module, or a Mschap module?)
  3. At some point, one of the modules will recognise the request
  4. The module does this by looking in the request for key attributes, such as MS-CHAP-Challenge (for mschap), or CHAP-Challenge (for chap), or EAP-Message (for eap). Or it may just assume it needs to add something to every request.
  5. If the module thinks it has a shot at authenticating the user it'll say that the Authenticate section can, and toset the Auth-Type.

If the module doesn't see anything it recognizes, or knows it doesn't need to lookup anything, it does nothing.

Authenticating a user - authenticate {}

At the end of authorize, the server will check if anything set the Auth-Type.

  1. So in authenticate, the server will call the pap module again
  2. So it then compares the local "known good" password to the password as entered by the user. This is how authentication works.
  3. The "known good" password comes from another module. The pap module just does PAP authentication, and nothing more. The benefit of this approach is that the "known good" password can come from the 'users' file, SQL, LDAP, /etc/passwd, external program, etc. i.e. pretty much anything.
  4. If the ldap module was listed in authorize. It will have run and checked
  5. If so, it will have added the "known good" password to the request, so that another module in authenticate can use it.

Insufficient information

In case the client sends a MSCHAP request, the mschap module looks at the request, and finds the MS-CHAP attributes. It sets the Auth-Type to itself (mschap). A database module (such as LDAP, above) gets the "known good" password, and adds it to the request. The mschap module is then run for authentication. It looks for either a clear text password or nt-hash.

Authentication Methods

Local Authentication

When you first connect to that device, it asks for a username and a password. That username and password is often stored on the device itself.

MFA (Multi Factor Authentication)

  • More than one factor
  • Can be expensive

RADIUS

  • One of the more common AAA protocols
  • Centralized authentication for users
  • RADIUS services available on almost any server operating system

TACACS

LDAP

  • Protocol for reading and writing directories over an IP network

Kerberos

  • Kerberos is a network authentication protocol where you can authenticate one time. And once you authenticate, you’re trusted by the entire system.

Defense in Depth

Layering the defence

  1. Physical controls
  2. Technical controls
  3. Administrative controls
  4. Firewall
  5. Screened subnet
  6. Hashing and salting passwords
  7. Authentication
  8. Intrusion prevention system
  9. VPN Access
  10. Anti-virus and malware software
  11. Seperate devices
  12. Split knowledge

Honeypots

  • Attracts the bad guys
  • The attackers are probably a machine
  • Constant battle to discern who is fake and who is real

RADIUS and TACACS

RADIUS uses UDP and TACACS uses TCP

Kerberos

It is an Network Authentication Protocol.

Fun Fact - Kerberos or Cerberus is a mythological creature. This is the three-headed dog of the underworld. Its job was to keep people from escaping across the River Styx. And a three-headed dog would certainly do that for me. But it had three heads for a reason. There’s a reason we call this Kerberos. That’s because there are three components to this.

  1. KDC (Key Distribution Center)
  2. Authentication Service
  3. Ticket Granting Service