Reading 08 - theSam1998/ops-301-Reading-Notes GitHub Wiki

Reading 08

GPT4 insertions indicated by: 🤖

Relevance Statement:

  • The media we have been asked to review today covers several methods of establishing secure connections to remote networks. AAA and radius are both covered, as well as some other methods within the videos. Many of these methods are used in tandem or stacked on top of one another to provide enhanced security depending on network configuration. It is vital to understand AAA for our future as cybersecurity professionals so that we can properly establish secure networks in our future places of work.

AAA

Explain each of the three A’s as you would to a non-technical family member. Use an analogy or a story.

  • The three As in AAA stand for authentication, authorization, and accounting. For example, lets say you go to the bank to make a withdrawal from your checking account. The bank is likely to ask for your debit card and possibly your ID, depending on the bank. That is the authentication: determining who you are and making sure you are who you claim to be. Once you've presented the valid documents for authentication, you will be authorized to withdraw the full amount that is in your account (again, depends on the bank). This authorization works hand in hand with the authentication to allow you to access the resources that are meant specifically for you (e.g. you cannot use your debit card to withdraw funds from someone else's account, and you cannot withdraw more than is in your account). Then, once you've withdrawn the amount you desire, you will be given a receipt for accounting (or nonrepudiation). This receipt serves as an acknowledgement that you have received the funds you've withdrawn, so you cannot come back later and claim to have never withdrawn the funds. The transaction is also likely to be logged in one database or another by the bank, serving as a further method of accounting. All three parts used together serve to create a stable and reliable banking system.
  • 🤖 While you have correctly described the roles of Authentication, Authorization, and Accounting in AAA, it could be useful to also mention that these three processes can happen in order, sequentially. First, a user is authenticated (their identity is confirmed), then they are authorized (given specific permissions), and finally their activities are accounted for (recorded for future reference).

What should the administrator do if the ACS server fails to authenticate a user during AAA implementation?

  • To discuss this, we must first highlight the differences between implementing AAA on a local database vs on an ACS server.
  • Local Database: In this method, a router or switch's configuration is used directly to implement AAA. This means creating users within the device's local configuration and assigning them different privilege levels manually. These privilege levels determine the commands and functions that a user can execute on the device. This method is typically implemented in smaller networks, and while it provides some security, it is not as intensive as using an ACS server. It is also less scalable than using an ACS server, and more difficult to configure as the network grows larger.
  • ACS server: This is the more common method of the two, typically used in larger environments, or where centralized management of authentication data is necessary. ACS stands for access control server, which can be either a dedicated device or a virtualized/software solution. This method involves a greater amount of configuration, as both the local database and the device acting as an ACS server must be configured properly to work. In this method, the router or switch does not do the authentication directly, but rather sends the authentication data over to the ACS server. If the ACS server finds a match to the credentials in its database, the user is authorized based on the privilege level they've been assigned, which can be customized based on the user or group rather than individually for each user like in a local database. This is part of what makes using an ACS server more scalable than a local database. Finally, for accounting, every action the user takes while accessing network resources is recorded by the ACS.
  • Now that the differences between the two methods have been highlighted, and we now understand that an ACS server requires configuration of a local database to function properly, as they operate in tandem, I can explain the backup option: IF your ACS server fails, It is extremely crucial that you have the local database listed as a backup AAA method. This way, when the ACS server fails, the network will default to using its local device's database for authentication. This will allow the network to continue functioning normally until the ACS server can be fixed, and you are simply removing one step of the authentication process for the meantime rather than having to bypass AAA entirely while repairing the system, or worse, having to deal with a non-functional network.
  • 🤖 In the discussion about ACS and local database, it would be good to mention that while the local database method can be useful in smaller networks, it can become challenging to manage as the network grows larger, due to the need to manually create and manage users on each individual device. Using an ACS server provides centralized management, which can significantly simplify the administration of larger networks.

What is the role of the NAS in the AAA implementation using an ACS server? Use a diagram.

  • In AAA with an ACS server, the NAS is the local database: the router or switch that houses the authentication info of the network. The NAS serves as the delivery boy, sending authentication requests to the ACS server to be either authorized or rejected.

  • [client PC]------->[NAS]------>[ACS]------->[network resources]

  • In the above diagram, the process is highlighted. The client server sends its request to the router (NAS), which then sends the request with the authentication info to the ACS server. After the client's info is authenticated, the request to access network resources proceeds to the server/network in question.

RADIUS

What are the benefits of using RADIUS for authentication and authorization?

  • In RADIUS, rather than treating individual users as clients, the entire NAS is treated as the client, and authentication is performed that way. This allows for an even greater deal of scalability over ACS systems, as entire new networks can be incorporated easily into the existing system. This makes it ideal for larger companies or organizations with networks that span large geographic locations and employees across the globe who need access to network resources. RADIUS can accept a great deal of different authentication servers, such as dial-in, VPN, Wireless access points, and managed network access switches. RADIUS is also greatly customizable, and can be configured to forward RADIUS requests across multiple RADIUS servers, enabling use across a wide geographic range.
  • 🤖 Another important point about RADIUS is its interoperability. RADIUS is a widely adopted standard and can interoperate with many types of network devices and systems. This interoperability, combined with its scalability and customizability, makes RADIUS a popular choice for AAA in larger and more diverse networks.

What is RADIUS and what does it stand for?

  • RADIUS stands for Remote Authentication Dial-In User Service. It is a client-server protocol and software that allows authorization of remote servers via a central server that serves specifically to authenticate users and authorize access to those remote systems.
  • 🤖 For RADIUS, it's also worth mentioning that RADIUS only supports UDP, which is connectionless and does not guarantee delivery of packets. This can potentially lead to issues in an unstable network environment. In contrast, protocols like TACACS+ support TCP, which is connection-oriented and provides guaranteed delivery of packets.

Research: What encryption algorithms does RADIUS use?

  • RADIUS uses the MD5 hashing algorithm to encrypt passwords so they cannot be stolen during the authentication process. The user's password is combined with a server-generated random value known as a "shared secret". The combined string is then hashed using MD5, and the hashed value is sent across the network in this form. HOWEVER, while authentication info is encrypted, the rest of the RADIUS packet is sent as plaintext. To deal with this problem, many companies use RADIUS through IPsec or another secure transmission protocol to ensure encryption of the rest of the packet, as RADIUS will not complete this on its own.
  • 🤖 While discussing the encryption algorithms used by RADIUS, it's crucial to note that while MD5 was historically used, it is now considered to be weak due to advancements in computational power and cryptanalysis techniques. As of my training cut-off in September 2021, more secure protocols like Transport Layer Security (TLS) have been adopted to secure RADIUS communication. It would be advisable to do a quick web search to confirm the most current encryption algorithms in use by RADIUS. (note from the boss: after this response I attempted to have GPT4 crawl the web for more up-to-date results, but it was unable to access many of the resources in question. However, after doing my own crawl, it doesn't seem the information it has presented is inaccurate or outdated.)

Things I want to know more about:

  • Can RADIUS and ACS be used in tandem? it sounds like they can.
  • 🤖Yes, RADIUS and ACS (Access Control Server) can indeed be used together. In this scenario, ACS acts as the AAA server, and RADIUS is one of the protocols used for communication between the ACS and the network devices (the other common one being TACACS+). The network devices send AAA requests to the ACS server, which then processes the requests and responds accordingly. This setup allows you to leverage the features of both RADIUS and ACS, such as the extensible policy creation and fine-grained control capabilities of ACS, and the wide support and interoperability of the RADIUS protocol.
  • How does RADIUS perform the "accountability" part of AAA?
  • 🤖Accounting in the AAA model refers to the tracking of network resource usage for auditing, billing, or reporting purposes. In the case of RADIUS, this is achieved through the use of accounting requests and responses. When a user's session begins, the network device sends an Accounting-Start (also known as Accounting-Request in some versions) packet to the RADIUS server. This packet contains details about the user and the session, such as the username, session ID, and the IP address of the network device. Throughout the session, interim updates can be sent to the RADIUS server to update the duration and data usage of the session. When the session ends, an Accounting-Stop packet is sent, which includes the final usage data. The RADIUS server can then store this information or forward it to a billing or reporting system for further processing.
  • How does configuration difficulty differ between using a local database and using an ACS? What is the "crossover point" at which a network's configuration necessitates the use of one over the other?
  • 🤖The difficulty in configuring AAA with a local database versus an ACS server can vary based on the size and complexity of the network. With a local database, each user needs to be individually configured on each network device. While this might be feasible for a small network with a limited number of devices and users, it can become quite tedious and error-prone for larger networks. Also, the local database method does not provide as much flexibility in terms of policy control and auditing capabilities compared to an ACS server. On the other hand, an ACS server provides centralized management of AAA configurations. It allows you to manage users, define policies, and view accounting information from a single location. However, it does require additional setup, such as configuring the ACS server itself, setting up the communication between the network devices and the ACS server, and maintaining the server. The "crossover point" at which an ACS becomes more beneficial than a local database can depend on various factors, such as the number of network devices, the number of users, the need for advanced policy control and reporting, and the resources available for maintaining the system. As a general rule, as the size and complexity of the network grow, the benefits of using an ACS server over a local database become more apparent.