Authentication/Authorization,

Access List, Filters, Firewalls, IDS/IPS

 Authentication
• Who ?
• Mechanism to verify the identity of the user who
is accessing a system or network
• Applicable for both over-the-network access and
local, console-based access
• The verification can be local or a third party
repository
• The verification job itself can also be local or third
party
 Authentication Credentials
• Most widely used credentials are username, password.
• Others such as smart cards, biometrics can also be
used.
• Multilayer authentication/authorization are also used
for high-security scenarios.
– Multiple credentials or types of credentials can be combined
to have access
• Sometimes, shared or split credentials are also used:
– half of password with one person and the other half with
another person.
 Authorization
• Generally follows the authentication step
• Defines the access privileges and authority of
the user in the system
• Depends upon pre-defined rules for access
privileges for each user or group of users.
– Rule-based or role-based access control
mechanisms are used in many systems to define
user privileges and rights.
 Local or over the network
• Local authentication/authorization involves local user
database consisting of their credentials and privileges
– Most networked systems have local user option available
• Same can be accomplished by a third party or
separate system that provides
authentication/authorization services
• Useful for centralized access management for entire
network.
– More scalable and also easier for users as they have to
know only one set of credentials.
 RADIUS/TACACS+
• The de-facto AAA system standards
• Widely used
• Enable network-based, centralized
authentication, authorization, accounting
regime
• RADIUS is a open standard whereas TACACS+
originated as a Cisco proprietary standard.
 RADIUS/TACACS+
RADIUS TACACS+

Scope of Encryption: packet Password Entire

payload or just the password only payload

Layer 4 Protocol UDP TCP

Well-Known Port Used for 1812 49
authentication

Standard or Proprietary RFC 2865 Proprietary

 Deployment
• A simple layout of the network-based
authentication system
• The auth server can be RADIUS or other
 AAA – ISP Example
• Access system connected to Auth server
• Auth server connects to the user management
database and application front-end engine
• Auth server also connects to access rule
enginer and billing system
 Filters/Access Lists
• Access rules or filters are designed to allow or
disallow packets
– Coming into the network
– Going out of it
• Typically analyze packet header information
and apply predefined rules
• Deny or allow to pass
 Filtering Rules
• Rules based on various criteria
– Addresses – source or destination
– Services (ports, protocols)
– Applications
– Data rates
Access List – Cisco Example
 Firewall
• Advanced form of access lists and filters
• Can act at various layers of the protocol stack
• Can be statefull or stateless
• Can work based on access rules, patters or
signature databases
• Can be used for network filtering, content
filtering and also for lawful interception
• Can be hardware (ASIC) based or software based
Simple Firewall Deployment
 Typical Function of Firewall
• Isolate internal network from external
network – especially Internet
• Allows the network administrator to control
access between the outside world and the
resources within the internal network
• Can be typically of two types
– Packet filtering firewalls (network layer)
– Application gateway (application layer)
 Packet Filtering Firewall
• Can be implemented by using custom-built
firewall software / appliances or by using
other equipment such as host-based
applications (iptables) or routers (access lists)
 Application Gateways
• Can analyze and decide based on application
data
• Is specific to a particular application
 Application Gateways
• Can decide based on end-user identity and the
data they pass through the network – this is
not possible with normal packet filtering
which is based on headers only.
• Drawback is that a separate gateway needed
for each application.
 Types of Firewall Control
• Service control: addresses, ports, protocols,
proxying and filtering service requests, provide
front-face for protected services
• Direction control: inbound or outbound
• User control: control access to a system based on
who is attempting to access.
• Behaviour control: restrict a certain type of
service activity or a part of network. E.g. spam or
partial protection of network services.
 Firewall – Stateful and Stateless
• A traditional packet filter makes decisions
based on individual packet.
– Memory-less
• Stateful firewalls remember the connection or
packet state and make decisions based on the
context rather than single packet
– Have memory or information about ‘states’
– Keep track of connections or sessions and apply
rules also based on those
 Firewall Bases
• Dedicated firewall system – appliance or
software
• Router or switch based packet filtering
• Host-based – for protecting a single host using
a native or third party application –
independent of network type or topology
• Personal – specifically designed for personal
computers – less sophisticated, simple
Firewall – Windows Example
 Positioning the Firewall
• DMZ network – separates high security and
medium security sections
• VPN or tunnel based – suitable for systems
connected over the shared Internet
infrastructure – normally used for remote
access and branch/franchise connectivity
• Distributed – combination of network and
individual host-based firewalls – highest
security, highest complexity, highest cost
 Intrusion Detection / Prevention
• Intrusion is an unauthorized entry into the
networked system
• Is normally malicious
• Exploit a known vulnerability or predictable
system user behavior to gain privileged access
• Detection is generally done through behavior
analysis and anomaly detection
 The Stages of a Network Intrusion
1. Scan the network to:
• locate which IP addresses are in use, (e.g. nmap in linux)
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to by
Servers).
2. Run “Exploit” scripts against open ports
3. Get access to Shell program which is “suid” (has “root”
privileges).
4. Download from Hacker Web site special versions of systems
files that will let Cracker have free access in the future without
his cpu time or disk storage space being noticed by auditing
programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.

Henric Johnson 25
25
 Example: nmap – know open services

• Tells what services, ports etc are open on

remote computers.
• Is an administrative tool but can also be
misused as a first stage of intrusion
preparation
 Intusion Detection
• The intruder can be identified and ejected from the
system.
• An effective intrusion detection can prevent
intrusions.
• Intrusion detection enables the collection of
information about intrusion techniques that can be
used to strengthen the intrusion prevention facility.

Henric Johnson 27
 Intrusion Detection Techniques
• Statistical anomaly detection
– Treshold detection
– Profile based
• Rule based detection
– Anomaly detection
– Penetration identidication

Henric Johnson 28
Profiles of Behavior of Intruders and
Authorized Users

Henric Johnson 29
 Measurable Parameters used in Intrusion
Detection
• Login frequency by day and time.
• Frequency of login at different locations.
• Time since last login.
• Password failures at login.
• Execution frequency.
• Execution denials.
• Read, write, create, delete frequency.
• Failure count for read, write, create and delete.

Henric Johnson 30
 Passwords Hardening
A Major Step in Intrusion Prevention
• Password guessing and brute force calculation
are most popular intrusion techniques
• So, need to make passwords strong
– Combination of alphabets, numbers, other
characters
• ‘p@5sw0RD!2#’ is stronger than ‘password123’
– Avoid using names, pet names, object names etc in
password
– Frequently change critical and daily used passwords
 Snort: IPS System Example
• Take it as a case study
– What is snort?
– How does it work?
– How to use it ?
• Ref: http://www.snort.org