Authenication Services

Swith Security
802.1x for port security
802.1q trunking and sub interfaces can implement ACLs on sub interfaces
Spanning tree protocal- STP and RSTP prevent loops- Root bridge and non root bri
dge - will block loops by droping packets. Layer 2 protocol that runs on bridges
and switches.
The specification for STP is IEEE 802.1D.
RSTP (IEEE 802.1w) natively includes most of the Cisco proprietary enhancements
to the 802.1D spanning tree, such as BackboneFast, UplinkFast, and PortFast.
(STP) The bridges have to determine the root bridge and compute the port roles (
root, designated, or blocked) with only the information that they have. To ensur
e that each bridge has enough
information, the bridges use special data frames called Bridge Protocol
Data Units (BPDUs) to exchange information about bridge IDs and root path costs.
A bridge sends a BPDU frame using the unique MAC address of the port itself as a
source address, and a destination address of the STP multicast address 01:80:C2
:00:00:00.
The bridge priority default is 32768 and can only be configured in multiples of
4096. When comparing two bridge IDs, the priority portions are compared first an
d the MAC addresses are compared
only if the priorities are equal.
STP switch port states:
Blocking - A port that would cause a switching loop if it were active. N
o user data is sent or received over a blocking port, but it may go into forward
ing mode if the other links in use
fail and the spanning tree algorithm determines the port may tra
nsition to the forwarding state. BPDU data is still received in blocking state.
Prevents the use of looped paths.
Listening - The switch processes BPDUs and awaits possible new informati
on that would cause it to return to the blocking state. It does not populate the
MAC address table and it does not
forward frames.
Learning - While the port does not yet forward frames it does learn sour
ce addresses from frames received and adds them to the filtering database (switc
hing database).
It populates the MAC address table, but does not forward frames.
Forwarding - A port receiving and sending data, normal operation. STP st
ill monitors incoming BPDUs that would indicate it should return to the blocking
state to prevent a loop.
Disabled - Not strictly part of STP, a network administrator can manuall
y disable a port
The sequence of events to determine the best received BPDU (which is the best pa
th to the root) is
Lowest root bridge ID - Determines the root bridge
Lowest cost to the root bridge - Favors the upstream switch with the lea
st cost to root
Lowest sender bridge ID - Serves as a tie breaker if multiple upstream s

witches have equal cost to root

Lowest sender port ID - Serves as a tie breaker if a switch has multiple
(non-Etherchannel) links to a single upstream switch, where:
Bridge ID = priority (4 bits) + locally assigned system ID extension (12
bits) + ID [MAC address] (48 bits); the default bridge priority is 32768, and
Port ID = priority (4 bits) + ID (Interface number) (12 bits); the defau
lt port priority is 128.
To prevent the delay when connecting hosts to a switch and during some topology
changes, Rapid STP was developed, which allows a switch port to rapidly transiti
on into the forwarding
state during these situations.
The Rapid Spanning Tree (RSTP) extension uses a specific RSTP BPDU
Flood gurads on some venders will help if STP/RSTP fails- based on brocast % yo
u can change the %
Logging is important but it is useless if not reviewed - reviewing will help clo
se un-need ports or plaintext ports I.E. 21 FTP, 23 Telnet, 443 is secure SSL/TL
S
3389 RDP is encrypted- a proprietary protocol developed by Microsoft, which prov
ides a user with a graphical interface to connect to another computer over a net
work connection
UTM - unified threat managment- UTM is the evolution of the traditional firewall
into an all-inclusive security product able to perform multiple security functi
ons within one single system:
network firewalling, network intrusion detection/prevention (IDS/IPS), g
ateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing
, data loss prevention,
and on-appliance reporting.
Log analysis - a periodic review of the logs is nessicary if a new user is creat
ed/premited and be sure it was with proper change control
If you do not manualy add an implecit deny ip any any on a F/W or router you wil
l not see the hit counts. If you add the implecit deny mannualy you can see how
many times traffic was denied
Authentication services and protocols

Centralized DB of UN/PW's - centralized database programs have been developed to

allow users to log in on multiple computers/server using a single UN/PW. When y
ou try to authenicate to a server
the server will make a request to the centralized DB. This is useful bec
ause the company dosn't have to keep all UN/PW's on each of their servers.
Authentication - 2 parts uesed to verift ID(UN)/(PW) (Can be many more when work
ing with multi-factor authentication, Ex. DUO, RSA fobs, biometrics ect..)
Tripple AAA=
Authentication- The process of identifying an individual, usually based on a use
rname and password. In security systems, authentication is distinct from authori
zation ,

which is the process of giving individuals access to system obje

cts based on their identity. Authentication merely ensures that the individual i
s who he or she claims to be,
but says nothing about the access rights of the individual. (Exa
mples of credentials include passwords, one-time tokens, digital certificates, a
nd phone numbers calling/called)
Authroziation- The process of granting or denying access to a network resource.
Most computer security systems are based on a two-step process. The first stage
is authentication,
which ensures that a user is who he or she claims to be. The sec
ond stage is authorization, which allows the user access to various resources ba
sed on the user's identity.
May be based on restrictions, for example, time-of-day restricti
ons, or physical location restrictions, or restrictions against multiple logins
by the same user.
Examples of services include, IP address filtering, address assi
gnment, route assignment, encryption, QoS/differential services, bandwidth contr
ol/traffic management, etc.
Accounting- The process of keeping track of a user's activity while accessing
a network's resources, including the amount of time spent in the network,
the services accessed while there and the amount of data transfe
rred during the session.
Accounting data can also be used for for trend analysis, capacit
y planning, billing, auditing and cost allocation.

SSL/TLS
SSL
VPN is secured by SSL(Secure Sockets Layer)/TLS(Transport Layer Security) or IPS
ec over the public internet.
The connection is private (or secure) because symmetric cryptography is
used to encrypt the data transmitted.

Symmetric-key algorithms are algorithms for cryptography that use the same crypt
ographic keys for both encryption of plaintext and decryption of ciphertext.
The keys may be identical or there may be a simple transformation to go
between the two keys. The keys, in practice, represent a shared secret between t
wo or more parties
that can be used to maintain a private information link. This requiremen
t that both parties have access to the secret key is one of the main drawbacks o
f symmetric key encryption.
This is how it should work with SSL - When the client connects to the server, it
negotiates a so-called ciphersuite (combination of encryption, key exchange, au
thentication algorithms) to use.
Each SSL client or server has a list of allowed ciphersuites and during
handshake the client and the server negotiate on what ciphersuite to use. It can
happen sometimes, that there's
no common denominator (ciphersuites sets don't intersect) and connection
can't be established.
Several versions of the SSL/TLS protocols find widespread use in applications su

ch as web browsing, email,

Internet faxing, instant messaging, and voice-over-IP (VoIP)

TLS
TLS has a variety of security measures:
Protection against a downgrade of the protocol to a previous version or a weaker
cipher suite.
Numbering subsequent Application records with a sequence number and using this s
equence number in the message authentication codes (MACs).
Using a message digest enhanced with a key. Only a key-holder can check the MAC(
Message Authentication Codes). The HMAC construction used by most TLS cipher sui
tes is specified in RFC 2104
In cryptography, a keyed-hash message authentication code (HMAC) is a sp
ecific type of message authentication code (MAC)
involving a cryptographic hash function (hence the 'H') in combination w
ith a secret cryptographic key.
The identity of the communicating parties can be authenticated using public-key
cryptography. This authentication can be made optional,
but is generally required for at least one of the parties (typically the
server).
The pseudorandom function splits the input data in half and processes each one w
ith a different hashing algorithm (MD5 and SHA-1), then XORs them together to cr
eate the MAC.
This provides protection even if one of these algorithms is found to be
vulnerable.
Integrity can be ensured because each message transmitted includes a message int
egrity check useing message authentication code to prevent undetected loss or al
teration of the
data during transmission.
The message that ends the handshake ("Finished") sends a hash of all the exchang
ed handshake messages seen by both parties.
Note about--- SSL/TSL-SSL/TLS uses an underlying transport medium that provides
a bidirectional stream of bytes. That would put it somewhere above layer 4.
SSL/TLS organizes data as records, that may contain, in particular, handshake me
ssages. Handshake messages look like layer 5. This would put SSL/TLS at layer 6
or 7.
However, what SSL/TLS conveys is "application data", which is, in fact, a bidire
ctional stream of bytes.
Applications that use SSL/TLS really use it as a transport protocol.They then us
e their own data representation and messages and semantics within that "applicat
ion data".
Therefore, SSL/TLS cannot be, in the OSI model, beyond layer 4.
RADIUS= Remote Authentication Dial-in User service
Remote Access Server(RAS) - is older tech that can make connections through a mo

dem to the Public Switched Telephone Nertwork(PSTN) or an ISDN connection for us

ers to access a companies LAN.
To connect to the RAS- You can authenicate with the following- Password
Authenicaion Protocal(PAP) it is transmited in ClearText any one could caputure
the UN/PW.
A better authenication protocal is Chalange handsheke authenication prot
ocal (CHAP) CHAP never sends the full cleartext password over the WAN,
Microsoft also has MSCHAPv2 that has more features(user can connecet and
change their password ect.)
Likely on the backend the RAS was talking to a RADIUS server. The client is resp
onsible for passing user information to designated RADIUS servers, and then acti
ng on the response that is returned.
RADIUS servers are responsible for receiving user connection requests, a
uthenticating the user, and returning all configuration information necessary fo
r the client to deliver service
to the user. The RADIUS servers can act as proxy clients to other kinds
of authentication servers such as Microsoft AD Kerberose.
RADIUS relies on PAP/CHAP/MSCHAPv2 for user credential validation. The NAS sends
a "random" challenge to the user, who produces a one-way hash of the challenge
data and password
and returns that to the NAS. The NAS then sends the challenge and respon
se off to the RADIUS, meaning that the credentials are never sent over the wire
in any reversible way.
In order to get the password an attacker must capture the challenge and
response data then run a dictionary or brute force attack.
On the down side, the RADIUS server itself must have a plaintext copy of
the password available in order to verify that a response is correct given the
challenge.
Clearly if the RADIUS server's password database is compromised then thi
ngs get quite sticky. For proxy RADIUS, the proxy does not need access to plaint
ext passwords.
In summary, passwords are safe in flight but exposed at rest.
Network Access Server(NAS) refers to any combination of hardware and software to
enable the remote access tools or information that typically reside on a networ
k of IT devices.
RADIUS combines authentication, authorization and accounting
Devices such as RAS (CHAP)/, VPN server (IPSec) ,Ethernet Switches useing 802.1x
, (WAP) Wireless access points could use either 802.1x or 802.11i to authenicate
wireless users and
Wireless Lan Controler (WLC) could be all be set up as RADIUS clients Co
nfigure these devices to use the RADIUS AAA server to validate users.
You can simply revoke a users access on the AAA server and the user woul
d lose access to all devices configured as RADIUS clients
RADIUS uses UPD as the transport protocol, Ports can be UDP 1812(Default Value)/
1645 for Authenication and UDP 1813/1646 for accounting Based on how old and wha
t version of RADIUS.
The Authenticator is used to authenticate the reply from the RADIUS serv
er. Used in encrypting passwords; its length is 16 bytes.
RADIUS is very popular because of open standard, robust accounting features, les
s granular
RADUIS can also authenicate network devices FW's, Routers, Switches ect, support
s multupil vendor products since it's open source

RADIUS is commonly used to authenicate end users even when Cisco devices are in
use
Most RADIUS communication is unencrypted (Clear Text)
RADIUS encrypts only the passwords (Plain Text is input into an encryption algor
ithm)- other information, such as username, authorized services, and accounting,
can be captured by a third party.
DIAMETER
DIAMETER (supports EAP) is also a AAA protocol that can be used if your devices
support it
EAP= Extensible Authenication Protocol. Add's new commands, more flexible. DIAME
TER may be a replacement for RADUIS
EAP, is an authentication framework frequently used in wireless networks and poi
nt-to-point connections.
TACACS+
TACACS = Terminal Access Controller Access controler system
TACACS devoloped into XTACACS then it is common when talking about TACACS they a
re refering to TACACS+
TACACS+ uses TCP, port 49. Encrypts full payload of each packet so more secure t
han RADIUS is proprietary to Cisco, very granular control of authorization.
AAA is seperated. Can only be used with cisco devices.
TACACS+ typicaly used to authenicate ADMIN Users because of the granular authori
zation, you can be granted certin rights and permissions.
If you have some level of privilage to work on a device (VPN server ect) When en
tering commands in devices they will first check with the AAA server to see if t
he ADMIN has the
privilage required to execute the command. This is the authroziation pie
ce of a AAA server. Every time an Admin makes a change it is sent to the AAA ser
ver so the change
and who made the change is accounted for.
TACAS+ when supported just does a better job when supported, it's more granular.
Authentication Services
Kerberos is an authenication protocal not a AAA protocal, Kerberos will be seen
in Microsoft Active Direcitory.
A problem that Kerberos can solve is getting access all at once to all the resou
rces you are entitled to with SSO(Single Sign On) as long as it is the same doma
in.
SSO will initally communicate with a centralized server, very likely a Domain Co
ntroler and this server will be acting as a key distribution center(KDC).
KDC has a service running called a Tigcket Granting Service(TGS) Initall

y you will communicat with the KDC. Once you have authenicated with the KDC you
will send a request to the TGS,
TGS will grant a ticket that you can present to a server authenicating w
ho you are. The server will authenicate and then give access to the approiate fi
le's or directories
you have permisssions or rights to (this is access control). Tickets do
expire so you may have to authenicate again.
There will likely be multuiple DC's and KDC for fault tolornce purposes or scala
bility. But reguardless from an arctecture standpoint it is still a certrilized
location.
Kerberos uses Symmetrical Encryption. Since it's Symmetrical encryption you are
useing the same key or sharded key on both ends to encrypt and decrypt data. Ker
beros uses port: 88
Kerberos has strict time requirements, which means the clocks of the involved ho
sts must be synchronized within configured limits.
The tickets have a time availability period and if the host clock is not
synchronized with the Kerberos server clock, the authentication will fail.
Kerberos is primarily a UDP protocol, although it falls back to TCP for large Ke
rberos tickets. This may require special configuration on firewalls to allow the
UDP response from
the Kerberos server (KDC). Kerberos clients need to send UDP and TCP pac
kets on port 88 and receive replies from the Kerberos servers.
Kerberos uses port 88 TCP/UDP
To summarize, a firewall must allow, for all Kerberos clients:
Destination port 88 UDP outbound to Kerberos KDCs
Destination port 88 TCP outbound to Kerberos KDCs
Source port 88 UDP inbound from Kerberos KDCs
Servers providing additional Kerberized services will need:
Destination port 544 TCP inbound (rsh/rcp)
Destination port 2105 TCP inbound (rlogin)
Source port 1-1023, destination port 32000-65525 TCP outbound (rsh/rcp)
Systems behind a firewall that will be rsh or rcp clients will need: -Source por
t 1-1023, destination port 32000-65525 TCP inbound (rsh/rcp)
RDP is encrypted- a proprietary protocol developed by Microsoft, which provides
a user with a graphical interface to connect to another computer over a network
connection on port 3389(TCP/UDP)
LDAP
Microsoft's AD and it's servers can provide LDAP services.
LDAP= Light Directory Access protocol = Port 389 UDP/TCP. CLDAP is based on the
use of the UDP encapsulation. The UDP is used when there is a need to transfer d
ata
very quickly and the loss of some of the data has no great impo
rtance. It is also used to transmit small amout of datas because it is faster th
an TCP.
Normal LDAP is not encrypted on port 389 UDP/TCP - however you can implement TLS
/SSL for secure communications between the LDAP server and the AAA server useing

LDAPS
CN(Common Name) ex. Jonathan Tuck - OU(Organizational Unit(OU) ex. Accounting de
partment - O(Organization) ex ACME.com. X.500 like directory structure
If you already have a CN as a user object inside of AD and want centeralized man
agment of user accounts for access to the network and resources there is no need
to add the CN to the AAA server.
You can have the CN in AD and use that as a mecanism for authenication u
sers. 1 option is to have your RAS/VPN/Ethernet Switch/Wireless AP's connect dir
ectly to AD useing a protocal
like LDAP.
Another option is if you have a VPN server that only speaks RADIUS or tacacs+ yo
u can have your AAA server (Insted of haveing the CN created there) you can have
the AAA server
communicate with the LDAP server. Microsoft's AD and it's servers can p
rovide LDAP services.
When CN tries to connect they could iniate an IPSec VPN tunnel over the public i
nternet to the VPN server. The VPN server then can foward the request to the AAA
server.
The AAA server then sends the request to the LDAP server. If successful
there would be a positive message back from the LDAP server to the AAA server. T
hen the AAA server would
relay the positive message VIA RADIUS to the VPN server.
With LDAP you may have a system that can talk directly to the LDAP server or you
would go through an intermediat device like a AAA server who can then speak LDA
P to the LDAP server.
The AAA server would be configured as an LDAP client. You would specify what UN/
PW when it make the LDAP requests.
Normal LDAP is not encrypted on port 389 UDP/TCP.
SSL/TLS: LDAPS can also be tunneled through SSL/TLS encrypted connections. The w
ell known TCP port for SSL is 636 (Layer 4 OSI, Transport) while TLS is negotiat
ed within a plain
TCP connection on port 389.
Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly kno
wn as "LDAP over SSL") protocol on a separate port, by default 636. LDAPS differ
s from LDAP in
two ways: 1) upon connect, the client and server establish TLS before an
y LDAP messages are transferred (without a StartTLS operation) and 2) the LDAPS
connection must be closed upon
TLS closure.
LDAP binds- you could encrypt the whole TCP stream between the application and D
C using IPSEC with ESP or TLS. Thankfully most modern applications have some
kind of ability to perform secure LDAP connections.
Some applications authenticate with Active Directory Domain Services (AD DS) thr
ough simple BIND. As simple BIND exposes the users credentials in clear text, us
e of Kerberos is preferred.
If simple BIND is necessary, using SSL/TLS to encrypt the authentication
session is strongly recommended.
You can make LDAP traffic confidential and secure by using Secure Sockets Layer

(SSL) / Transport Layer Security (TLS) technology. LDAPS differs from LDAP in tw
o ways upon connect,
the client and server establish TLS before any LDAP messages are transfe
rred (without a StartTLS operation) and the LDAPS connection must be closed upon
TLS closure.
An SSL-encrypted LDAP integration (LDAPS) communicates over TCP on port
636 by default, this communication channel requires a certificate (X.509 Certifi
cate from CA).
Before you install a certification authority (CA), you should be aware that you
are creating or extending a public key infrastructure (PKI).
Be sure to design a PKI that is appropriate for your organization.
LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterpris
e Root CA on a domain controller installing a CA on a domain controller not a re
commended practice.
When you have a multi-tier (such as a two-tier or three-tier) CA hierarchy, you
will not automatically have the appropriate certificate for LDAPS authentication
on the domain controller.
In order to enable LDAPS in a multi-tier CA hierarchy, you must request a certif
icate that meets the following requirements:
Certificate must be valid for the purpose of Server Authentication. This
means that it must also contains the Server Authentication object identifier (O
ID): 1.3.6.1.5.5.7.3.1
The Subject name or the first name in the Subject Alternative Name (SAN)
must match the Fully Qualified Domain Name (FQDN) of the host machine, such as
Subject:CN=server1.me.com.
The host machine account must have access to the private key.
The primary reason for enabling this functionality is to allow third-party appli
cations that arent capable of performing encrypted LDAP sessions to connect secur
ely on port TCP 636BIND (authentication Protocol)
When an LDAP client connects to the server, the authentication state of
the session is set to anonymous. The BIND operation establishes the authenticati
on state for a session.
Simple BIND and SASL PLAIN can send the user s DN (Distinguished Name, s
immilar to CN-common name) and password in plaintext, so the connections utilizi
ng either Simple or SASL PLAIN
should be encrypted using Transport Layer Security (TLS). The server typ
ically checks the password against the userPassword attribute in the named entry
.
SASL (Simple Authentication and Security Layer) BIND provides authentica
tion services through a wide range of mechanisms, e.g. Kerberos or the client ce
rtificate sent with TLS.
BIND also sets the LDAP protocol version by sending a version number in
the form of an integer. If the client requests a version that the server does no
t support,
the server must set the result code in the BIND response to the code for
a protocol error. Normally clients should use LDAPv3, which is the default in t
he protocol but not always in LDAP
libraries. BIND had to be the first operation in a session in LDAPv2, bu
t is not required as of LDAPv3. In LDAPv3, each successful BIND request changes
the
authentication state of the session and each unsuccessful BIND request r
esets the authentication state of the session.

SAML
SAML = Security Assertion Markup Language
Authentication is done at the primary website and allows you to still do busines
s with affilaiated sites. I.E. Booking a flight(Primary). Hotel(affilaiated), Ca
r rental(affilaiated).
The authication data is being shared between those various sites. The authinicat
ion and authorization data is being sharded from the Primary site to the affilai
ates.
In this situation you would be the Principal, the primary company you connected
to would be the identity Provider, any affilaiated sites are known as service pr
oviders.