IS 6973

1
IS 6973

• Chapter Nine
• Identity Design Considerations

2
Basic Foundation Identity Concepts

• Most basic application support ID and password
• Public key authentication more secure, but also
  slower and costlier
• Need to manage keys may need a certificate
  authority (CA)

3
Device Versus User Identity

• Device identity identity of a network entity
  (such as MAC address)
• Can usually assert identity of a given device,
  but the user of the device
• User identity identity of user (such as ID
  and password)

4
Network versus Application Identity

• Network Identity capability of the network to
  validate a device or user identity
• EAP extensible authentication protocol
  determines network identity by validating user
  identity credentials
• IP address network identity that identifies a
  particular device
• Application Identity A given application
  validates a device or user identity
• Application identity is often separate from
  network identity
• Application identities are often separate form
  other application identities
• Why is this lack of integration and information
  sharing a network security problem?

5
Who Do You Trust???

• Is intra-organization trust the same as
  inter-organization trust?
• Need secure identity strategies, as well secure
  storage of identity information

6
Authentication, Authorization, and Accounting
(AAA)

• Authentication who you are
• Authorization what you are allowed to do
• Accounting record of what you did
• AAA is enforced throughout the system, in a
  variety of locations

7
AAA in Practice

• User boots PC
• User established VPN connection to corporate
  office
• User downloads e-mail
• User moves a file to network-based storage
• User browses the Internet

8
Shared Identity

• Example Admin passwords and guest may share
  the password provides ease of use, but hard to
  identify

9
Forms of Identification

• Device to network
• User to network
• User to application

10
Types of Identity

• Physical access keys, card readers, smart card
• MAC address identifies device/not user
• IP address may combine with user ID for select
  location privileges
• Layer 4 info port , sequence
• Username strengthen with OTP
• Digital Certificates
• Biometrics

11
Factors in Identity

• Who you are
• What you have
• What you know/what it knows
• Where you are/where it is

12
Potential AAA Server Clients

• Firewall user authentication
• Proxy server user authentication
• Content-filtering user authentication
• Dial-up network access
• User VPN access
• WLAN user authentication and key distribution
• 802.1X/EAP LAN authentication
• Application authentication
• Administrator management access

13
Where do you Deploy the AAA Server?

• Root server AAA server is master repository for
  all user identity credentials (fig. 9-1) Not a
  practical solution
• Middleware server core identity info is stored
  somewhere other than AAA server (fig. 9-2)
  integration could be problematic
• Mixed deployment multiple AAA system (fig. 9-3)
  most practical but could be security risk if
  not properly hardened

14
What are the Potential Problems? (Fig.9-4)
15
AAA Server Summary

• Read note on top of page 339

16
Gateway-Based Network Authentication

• The ability of a network device to dynamically
  authenticate an IP or MAC address to the network,
  then apply access rights
• Examples (a) broadband connectivity in an
  airport or hotel (b) proxy servers
• Gateway device adds users address to a table of
  authorized addresses and grants access

17
PKI Usage

• SSL/TLS Certificates for internal servers such
  as HR or finance - can be done in-house or by
  third party
• Secure e-mail ex. S/MIME with certificates or
  PGP with manual public key exchange and
  validation
• Site-to-Site VPN sites can validate each
  others identity without using pre-shared keys

18
Identity Deployment Recommendations

• Device to Network - most easily done at L3
• IP addresses
• IPsec/SSH/SSL IPsec is most secure method for
  authenticating endpoint devices in a network
• User to Network keep user repositories
  consistent across the variety of user
  connectivity options (AAA server) LAN, WLAN,
  dial-up, etc.
• User to Application ensure that your network
  identity framework is compatible with your
  application framework

19
Steps to Follow when Providing Identity Guidelines

• Is it a device, a user, or both, that needs
  authentication?
• What are the asset value and risk?
• How much are you able to rely on physical
  security controls?
• How much are you able to rely on other identity
  mechanisms?
• Make your identity technology choice, based on
  past 4 questions. Remember It is hard to have
  security without manageability.

20
Chapter 9 Review Questions

• Compare and contrast user versus device identity.
  Provide examples of each.
• Should inter-organization trust be the same as
  intra-organization trust? Why or why not?
• Discuss the characteristics, advantages, and
  disadvantages of a AAA server.
• Describe three potential AAA server clients. How
  would they benefit from interface with a AAA
  server?
• What is gateway-based network authentication?
  Provide an example.
• Provide examples of when and why an organization
  would institute PKI
• Discuss the steps to follow when providing
  identity guidelines.