Security technology typically falls into one of three categories.
Links user authentication and authorization on the network
infrastructure; verifies the identity of those requesting
access and prescribe what users are allowed to do.
Provides data confidentiality through firewalls, management
control, routing, privacy and encryption, and access control.
Provides data on network activities and assist network administrators
to account for network usage, discover unauthorized activities,
and scan the network for security vulnerabilities.
Let’s start by looking at some Identity
technologies. Again, identity is the recognition of each individual
user, and mapping of their identity, location and the time
to policy; authorization of their network services and what
they can do on the network.
Why is identity important? With IP addresses no longer being
static (because of exhaustion of address space) and with solutions
such as NAT and DHCP, etc., people are no longer tied to addresses.
Ideally, we should be able to gain appropriate access based
on who we are.
Identity can be determined by a number of
technologies — user name and password, token card, digital
certificate—each can be configured for a policy setting
that indicates the degree of trust.
Administrators can also configure access by time of day—identity
authorizations can also include a time metric for future time-based
The key to centralized identity and security policy management
is the “combination” of all key authentication
mechanisms, from SecurID and DES Dial cards to MS Login, and
their internetworking with one common identity repository.
To truly be centralized and configured once only, the identity
mechanism must also be media independent; equally applicable
to dial-users and campus users for example.
Let’s look at some of these technologies.
For basic security, user id’s and passwords
can be used to authenticate remote users.
First, a remote user dials into the network access server.
The NAS, or network access server, negotiates data link setup
with the user using (most likely) PPP. As part of this negotiation,
the user must send a password to the NAS. This is usually
handled by either the PAP or CHAP protocols, which we’ll
cover in more detail in a little bit.
Next, the NAS forwards the user’s password to a AAA
server to verify that it is legitimate. The protocol used
between the NAS and AAA server is (most likely) either TACACS+
or RADIUS. I’ll be covering these protocols in more
detail in a minute.
When the AAA server gets the user id and password, it checks
its database of legitimate users and looks for a match. If
a match is found, the AAA server sends the NAS a call accept
message. If not, the AAA server sends the NAS a call reject
If the call is accepted, the user is connected to the campus
PAP and CHAP Authentication
Now let’s back up for a minute and
explain a little more about the process of dial in connections.
Many of you have probably heard of PPP (Point-to-Point Protocol)
before. PPP is used primarily on dial-in connections since
it provides a standard mechanism for passing authentication
information such as a password from a remote user to the NAS.
Two protocols are supported to carry the authentication information:
PAP (Password Authentication Protocol) and CHAP (Challenge/Handshake
Authentication Protocol). These protocols are well documented
in IETF RFCs and widely implemented in vendor products.
PAP provides a simple password protocol. User ID and password
are sent at the beginning of the call, then validated by the
access server using a central PAP database. The PAP password
database is encrypted, but the password is sent in clear text
through the public network. A AAA server may be used to hold
the password database.
The problem with PAP is that it is subject to sniffing and
replay attacks. Hacker could intercept communication and use
information to spoof a legitimate user.
CHAP provides an improved authentication protocol. The Access
Server periodically challenges remote access devices such
as a router to provide a proper password. The initial CHAP
authentication is performed during login; network administration
can specify the rate of subsequent authentication. These repeated
challenges limit the time of exposure of any single attack.
Password is sent encrypted. Both sides can use the challenge/response
mechanism supported by CHAP to authenticate the device at
the other end.