2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	574/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 570 571 572 573 574 575 576 577 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

AAA Protocols
Several protocols provide authentication, authorization, and accounting and are referred
to as AAA protocols. These provide centralized access control with remote access systems
such as virtual private networks (VPNs) and other types of network access servers. They
help protect internal LAN authentication systems and other servers from remote attacks.
When using a separate system for remote access, a successful attack on the system only
affects the remote access users. In other words, the attacker won’t have access to internal
accounts. Mobile IP, which provides access to mobile users with smartphones, also uses
AAA protocols.
These AAA protocols use the access control elements of identifi cation, authentication,
authorization, and accountability as described earlier in this chapter. They ensure that
users have valid credentials to authenticate and verify that the user is authorized to connect
to the remote access server based on the user’s proven identity. Additionally, the accounting
element can track the user’s network resource usage, which can be used for billing pur-
poses. Some common AAA protocols are covered next.
RADIUS
Remote Authentication Dial-in User Service (RADIUS)
centralizes authentication for
remote connections. It is typically used when an organization has more than one network
access server (or remote access server). A user can connect to any network access server,

610
Chapter 13
■
Managing Identity and Authentication
which then passes on the user’s credentials to the RADIUS server to verify authentication
and authorization and to track accounting. In this context, the network access server is the
RADIUS client and a RADIUS server acts as an authentication server. The RADIUS server
also provides AAA services for multiple remote access servers.
Many internet service providers (ISPs) use RADIUS for authentication. Users can access
the ISP from anywhere and the ISP server then forwards the user’s connection request to
the RADIUS server.
Organizations can also use RADIUS, and organizations often implement it with location-
based security. For example, if the user connects with an IP address, the system can use
geolocation technologies to identify the user’s location. While it isn’t as common today,
some users still have Integrated Services Digital Network (ISDN) lines and use them to con-
nect to VPNs. The RADIUS server can use callback security for an extra layer of protec-
tion. Users call in, and after authentication, the RADIUS server terminates the connection
and initiates a call back to the user’s predefi ned phone number. If a user’s authentication
credentials are compromised, the callback security prevents an attacker from using them.
RADIUS uses the User Datagram Protocol (UDP) and encrypts only the exchange of
the password. It doesn’t encrypt the entire session, but additional protocols can be used to
encrypt the data session. The current version is defi ned in RFC 2865.
RADIUS provides AAA services between network access servers and a
shared authentication server. The network access server is the client of the
RADIUS authentication server.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 570 571 572 573 574 575 576 577 ... 881