The authentication process is a foundational aspect of network security. In this video, you’ll learn about AAA, authentication factors, federation, single sign-on, and more.
<< Previous Video: Physical Security Controls Next: Identity and Access Services >>
The AAA framework is a foundation of network security. When we’re logging into our network to gain access to resources, we’re usually providing a username and password so that we can prove who we are. And that process of identifying ourselves passes through this authentication, authorization, and accounting framework.
The authentication portion of the AAA framework is the part where we can prove that we are who we say we are. We usually provide a username and password, and often additional authentication factors, to help prove that we really are who we say we are. Once we’ve identified ourself and authenticated into the AAA framework, the authorization part is going to determine what type of access we have to the resources available on the network.
And the last A in the AAA framework is accounting. It’s a way to keep a log of exactly who logged in, the date and time this login occurred, and when this person may have logged out. When we are authenticating into this AAA framework, there may be a number of factors that could be asked of us so that we can really prove who we say we are. Some of these most common factors are something you are, something you have, something you know, somewhere you are, and something you do.
Providing these additional factors of authentication may have a cost associated with them. For example, it may require that everyone carry a hardware-based pseudo-random token generator with them, and each one of those tokens has a cost associated with it. If one of the factors is looking for biometric readings, it may require specialized hardware to be able to take those biometric measurements. But depending on how you implement this authentication, there may be very little cost associated with it. For example, there can be free smartphone applications that you can use to take the place of some of these hardware-based systems.
The authentication factor of some thing you are is usually referring to part of you as a person. This would be a biometric authentication, that could be a fingerprint, or an iris scan. Usually the biometric system is not saving your actual fingerprint, but instead is creating a mathematical representation and storing that information for use later. These biometric values are obviously very difficult to change because they’re part of you, and they’re very unique because they are something that nobody else has. Usually you’re combining this biometric with some other type of authentication. Biometrics is not an exact science, and being able to layer different types of authentication makes your authentication process that much more secure.
One step removed from something you are is something you have, this would be something that you carry with you. For example, a smart card like this one that we would insert into a computer or a laptop would mean that we would have to have physical access to that card to be able to slide it in and confirm that we happen to be in front of that computer. Usually, we’re combining a smart card with a personal identification number or passphrase. That way, someone can’t steal your smart card and use it instead of you. They would also have to know additional pieces of information to provide this level of authentication.
Another good way to validate who you are is to provide a specialized certificate that only you have. A very common way to store the certificate is on a USB token, and you would plug in your USB key any time you needed to authenticate. There are also hardware or software tokens that you could use. These devices create pseudo-random numbers that are synchronized on both sides, so you can type in this very specific number that nobody else has and it is confirmed that you must have that particular token with you.
A very common type of something we have is our mobile phone. That’s usually not something that’s shared with other people, so we can trust that sending a message to that mobile phone might only be read by the individual who owns the phone. We can then use that message as part of the authentication factor whenever someone is trying to log in to the network.
One of the most common authentication factors is something you know. This would commonly be something like a password. We would put our user name into the system and then a secret code or passphrase that we’ve created that we would only know ourselves. Another good example of something you know is a personal identification number. We use these often when we’re using an ATM. It asks for a four-digit code, and it’s a code that only we would know. A specialized type of something you know would be on the front of your phone. On Android devices, you can swipe a very particular pattern to unlock your phone, and you would be the only one who would know what that pattern is.
The authentication factor of some where you can be a very useful method of authentication. This is providing details of where you are based on your geographical location. You’re able to log into a system, it knows exactly where you happen to be, and then the system can decide whether that is an appropriate place to be able to authenticate to your systems.
One very broad use of somewhere you are is to use an IPv4 address. Not everybody is connecting to the network using an IPv4 address, and even the IP version 4 addresses themselves don’t provide a great deal of geographic accuracy. However, the mobile devices that we carry with us do provide a great deal of geographic accuracy. It can find a very specific location and then allow or disallow someone to authenticate using that particular factor.
The authentication factor of something you do is something that’s going to be very unique to the way you do something. A good example of this is handwriting. We all have a very specific signature, and it’s very difficult for someone to duplicate that signature unless they happen to be us. Another way to determine who you happen to be is the way that you type. We all have a certain pattern that we use when we’re typing, and that could be used as a type of authentication factor. This is very similar to using biometrics, but instead of it being something you are, it instead is something that you can do.
You may have services on your network that you’d like to make available to as many people as possible. But instead of having to create a separate username and password and account information for every single user, you may want to take advantage of an authentication system that may already exist. That can very easily be accomplished by using a federated network where you can authenticate and authorize between two different organizations.
For example, you may have seen a login screen like this on a website that instead of using a traditional email address and password that’s local to that server, you can authenticate using existing Twitter, Facebook, LinkedIn, and other third-party accounts. This is a formal trust process that’s created between these organizations. Usually the password and account information is not shared between these organizations, instead the authentication process is passed to the third party. The third party validates the authentication and then provides the clearance back to the original site.
If you’ve ever connected to a large corporate network, then you know there are many different services that you’re taking advantage of. You might be connecting to the internet, there may be file shares that you’re connecting to, and you might be using printers on that network. Imagine if you had to put in a username and password every time you wanted to access one of those services. To avoid that process, most organizations use SSO, or single sign-on.
This saves a lot of time for the end user because they don’t have to put in a username and password every time they connect to a new service. There are a number of complexities behind the scenes, and usually there’s a bit of cryptography that takes place but all of this is hidden from the end user. All the end user knows is they put in a username and password when they first connect to the network and everything else from that point on is automatic.
If you’re on a Windows network, this is probably using Kerberos to accomplish the single sign-on. But there are also third-party options if you need to have the same type of single sign-on capability used with other systems. Authentication systems rely on trust. Often this trust is within a single organization or domain, but sometimes we have a need to trust other organizations as well. And it’s important that we build and configure these different types of trusts depending on the relationships that we have with those third parties.
One of these types of trusts may be a one-way trust where domain B may trust domain A, but it doesn’t work in the other direction. Domain A might not trust domain B. If both sides trust each other, then we have a two-way trust where both sides will trust each other equally. When we’re building these trusts, it’s common to configure either a non-transitive trust or a transitive trust.
A non-transitive trust means that we are building a trust to one entity, and this trust that we’re creating will only apply to that particular entity. If we have a transitive trust in this trust relationship could extend itself based on the other trusts that are in place. For example, if domain A trusts domain B, and domain B trusts domain C, a transitive trust would allow domain A to then trust domain C.