CompTIA Net+ Chapter 10 - Applying Network Security Features

CompTIA Net+ Chapter 10

Modern access control is typically implemented as an

Identity and Access Management (IAM) System

IAM comprises four main processes:

• Identification

• Authentication

• Authorization

• Accounting

Identification

Creating an account or ID that uniquely represents the user, device, or process on the network. 

Authentication

• Proving that a subject is who or what it claims to be when it attempts to access the resource. 

• An authentication factor determines what sort of credential the subject can use.

• For example, people might be authenticated by providing a password; a computer system could be authenticated using a token such as a digital certificate.

Authorization

• Determining what rights subjects should have on each resource, and enforcing those rights.

• An authorization model determines how these rights are granted. For example, in a discretionary model, the object owner can allocate rights.

• In a mandatory model, rights are predetermined by system-enforced rules and cannot be changed by any user within the system.

Accounting

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. 

The type of data used to create a credential is called an:

Authentication Factor

Authentication Factors fall into the following categories:

• Knowledge factor

• Ownership factor

• Human or biometric factor

• Behavioral factor

• Location factor

• Time factor

Knowledge factor

Something you know (such as a password)

Ownership factor

Something you have (such as a smart card)

Human/biometric factor

Something you are (such as a fingerprint)

Behavioral factor

Something you do (such as making a signature)

Location factor

Somewhere you are

Time factor

Somewhen you are (such as only being able to start a session during work hours)

Single Sign-On (SSO)

Allows the user to authenticate once to a local device and be authorized to access compatible application servers without having to enter credentials again

Kerberos

Provides SSO authentication to Active Directory, as well as compatibility with other, non-Windows operating systems

Kerberos consists of three parts:

• Client (which requests services)

• Server (from which the service is requested)

• Key Distribution Center (KDC)

Two services that make up the KDC:

• Authentication Service

• Ticket Granting Service

Authentication Service

Responsible for authenticating user logon requests

Public Key Infrastructure (PKI)

• Aims to prove that the owners of public keys are who they say they are

Key management

Refers to operational considerations for the various stages in the lifecycle of an encryption key or pair

A key’s lifecycle may involve the following stages:

• Key Generation

• Storage

• Revocation

• Expiration and Renewal

Key Generation

Creates an asymmetric key pair or symmetric secret key of the required strength, using the chosen cipher

Storage

Prevents unauthorized access to a private or secret key and protects against loss or damage

Revocation

Prevents use of the key if it compromised

Expiration and Renewal

Gives the certificate that validates the key a “shelf-life” to increase security

Federation

Is the notion that a network needs to be accessible to more than just a well-defined group of employees

These interoperable federation protocols use claims-based identity. While the technical implementation and terminology is different, the overall model is similar to that of Kerberos SSO:

1. A service provider (SP) establishes a trust relationship with an identity provider (IdP).

2. The principal attempts to access a service provider.

3. The service provider redirects the principal to the IdP.

4. The principal authenticates with the identity provider.

5. If authentication is successful, the principal obtains a claim, in the form of some sort of token or document signed by the IdP.

6. The principal presents the claim to the service provider. The SP can validate that the IdP has signed the claim because of its trust relationship with the IdP.

Remote Authentication

Means that a host runs a remote access server or terminal server that accepts login requests initiated via another host over a network

Remote authentication is typically used in two scenarios:

• Authenticating with a cloud provider or web host or joining a virtual private network (VPN). With a VPN, the remote user connects to a remote access server on the perimeter of the private network.

• Authenticating with a different host over a private network. Administrators commonly need to manage switches, routers, and servers. Rather than go to the device and start a local console session, they use Secure Shell (SSH) or Remote Desktop Protocol (RDP) to start a session over the network from their management workstation or laptop. The target device must be running an SSH server service or RDP terminal access server.

AAA uses the following components:

• Supplicant

• Network Access Server (NAS) or Network Access Point (NAP)

• AAA Server

Supplicant

The device requesting access, such as a user's PC or laptop.

Network Access Server (NAS) or Network Access Point (NAP)

Edge network appliances, such as switches, access points, and VPN gateways. These are also referred to as AAA clients or authenticators.

AAA Server

The authentication server, positioned within the local network. This server either holds a database of accounts and credentials or has access to a directory server that can authenticate requests and issue SSO authorizations. There are two main types of AAA server: RADIUS and TACACS+.

Discretionary Access Control (DAC)

• Based on the primacy of the resource owner

• Every resource has an owner

• Owner creates a file or service although ownership can be assigned to another user

• Owner has full control over the resource, and they can modify its ACL to grant rights to others

Role-based access control (RBAC)

• Means that an organization defines its authorizations in terms of the tasks that an employee or service must be able to perform.

• Each set of permissions is a role

• Each principal is allocated to one or more roles

• Under this system, the right to modify the permissions assigned to each role is reserved to a system owner

Privileged Access Management (PAM)

• Refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts by internal threat actors and to mitigate risks from weak configuration control over authorizations

Least Privilege

Means that a user is granted sufficient rights to perform their job and no more

Separation of Duties

Is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats.

Directory Services

Principal means of implementing privilege management and authorization on an enterprise network

Authentication, referred to as binding to the server, can be implemented in the following ways:

• Simple Bind

• Simple Authentication and Security Layer (SASL)

• LDAP Secure (LDAPS)

Simple Bind

The client must supply its distinguished name and password, but these are passed as plaintext

Simple Authentication and Security Layer (SASL)

This framework allows a client and server to negotiate authentication and encryption parameters to make a connection over TCP port 389 secure

LDAP Secure (LDAPS)

Server is installed with a digital certificate, which it uses to set up a secure Transport Layer Security session to authenticate the server and protect the user’s LDAP credentials and data. LDAPS uses port 636

Deploying systems in a secure configuration is know as:

device hardening

Some of the policies that will make up a secure configuration involve the following:

• Change default passwords/credentials

• Enforce password complexity/length requirements

  • Length

  • Complexity

  • Avoiding Common Passwords

• Configure role-based access

• Disable unneeded network services

• Disable insecure protocols

Change default passwords/credentials

• Devices such as wireless access points, switches, and routers sometimes ship with a default management password such as password, admin, or the device vendor's name.

• These should be changed on installation. 

Enforce Password Complexity/Length Requirements

Passwords for network infrastructure must be highly resistant to guessing and cracking attacks.

Configuring role-based access

• The default administrator, superuser, or root account has unrestricted access to the device.

• If the credentials for this account are shared, the risk of compromise is greatly magnified.

• Role-based access means that a limited set of permissions is configured for different administrative groups, such as separating permissions for configuring the system to those for configuring logging and auditing.

• This separation of duties reduces impacts from the compromise of any single account.

Disable unneeded network services

• Any services or protocols that are not used should be disabled.

• This reduces the attack surface of a network appliance or OS. Attack surface means the range of things that an attacker could possibly exploit in order to compromise the device.

• It is particularly important to disable unused administration interfaces.

Disable insecure protocols

• Sniffing attacks can be mitigated by encrypting the channel over which communications takes place.

• This means that even if the eavesdropper can listen to the message, they cannot understand it without obtaining the encryption key.

• It is important to understand which protocols are insecure in terms of using unencrypted channels. This is particularly important when using a channel to authenticate.

• Insecure protocols should be deprecated, and secure protocols should be used instead. For example, the original versions of SNMP are unencrypted.

• To implement secure SNMP, either configure SNMPv3, which supports encryption, or use an encapsulation protocol such as IPSec to encrypt SNMP traffic.

Network Access Control (NAC)

System for authenticating endpoints before they can fully connect to the network

MAC Filtering

Defining which MAC addresses are permitted to connect to a particular port

If a host attempts to connect with a MAC address that violates policy, the switch port enters a violation state:

• Protect mode means the port drops frames from the invalid source address but keeps the interface open otherwise. Protect mode can only be used with sticky MACs.

• Restrict mode drops frames and logs and alerts violations but also keeps the interface open.

• Shutdown mode disables the port and sends alerts. The port must be manually re-enabled using the no shutdown command. This is the default mode.

Extensible Authentication Protocol (EAP)

Provides a framework for deploying multiple types of authentication protocols and technologies when an endpoint device needs to be authenticated before it can join the network.