Networking Fundamentals, 3rd Edition page 467

Copyright Goodheart-Willcox Co., Inc. 467 Chapter 15 Network Security of TACACS, which is a much older security system originally implemented for Unix servers. TACACS+ is a client/server proprietary AAA security system developed by Cisco Systems. Th e following table is a brief comparison of RADIUS and TACACS+: RADIUS TACACS+ Uses connectionless UDP Uses connection-oriented TCP Uses one database for authentication, authorization, and accounting Uses separate databases for authentication, authoriza- tion, and accounting Encrypts only the password Encrypts the entire exchange of logon packets Uses a token-based authentication method Uses a token-based authentication method Authentication Methods Regardless of the protocol used, authentication comes in one of three main types: ■ Type I: something you know. Th is is a password or PIN. ■ Type II: something you have. Th is can be a key, swipe card, etc. ■ Type III: something you are. Th is is biometrics. Recently there have been two other methods of authentication added to this mix: somewhere you are and something you do. Th e somewhere you are method uses geolocation to authenticate. For example, a user might enter the right username and password, but instead of logging in from his or her offi ce in Toronto, the login is coming from Nigeria, so the login is blocked. Geolocation is related to another tech- nology called geofencing. Geofencing is the process of using GPS or RFID to create a virtual boundary. For example, if a company issues a tablet or laptop to an employ- ee that is only meant to be used on company premises, geofencing prevents it from functioning off -campus. Th e something you do method involves any sort of user activity. Th is is usually in addition to at least Type I authentication. Th is is a vague category and can encom- pass anything from keyboard typing habits, to how fast you read pages of data. Strong authentication requires at least one mechanism from at least two cat- egories. Something you know, for example a password, along with something you have, for example a swipe card, is considered strong authentication, or two-factor authentication. Today, authentication that is not two-factor is considered inade- quate. A common concept in authentication is single sign-on (SSO). Th is allows a user to log in and authenticate one time, and that authentication propagates to other sub- systems. Whatever authentication process is used, it should be audited and logged. Authentication Protocols Chapter 14 introduced SLIP, PPP, and many variations of PPP, such as PPTP, PPPoE, and MLPPP. While PPP and SLIP are primarily concerned with remote connection security over dial-up telephone lines and ISDN, there are many protocols designed to provide secure connections over Ethernet networks and the Internet, such as PAP, CHAP, and Kerberos. Th is section takes a look at these protocols. Password Authentication Protocol (PAP) Password Authentication Protocol (PAP) is a basic password authentication technique used for HTTP and remote dial-up access. PAP sends the username and password in plain-text format, also referred to as clear text. Th e username and pass- word are sent over the network and then compared to a database of usernames and 4.2 NET 4.3 NET 4.2 NET

Previous Page Next Page

Networking Fundamentals, 3rd Edition Page 467 (489 of 720)

Resources and Downloads

Help