Previous | Table of Contents | Next |
Both of these services can provide authentication services with a centralized repository of passwords and permissions. The following output is from a TACACS+ configuration filenote how two groups, operator and operator_plus (members of the default service, permit, are given all commands) are established to restrict the commands available to the user:
#TACACS+ V2.1 configuration file
#created 5/14/96
#edited 8/20/99
#
#If user doesn't appear in the config file user/etc/ password
default authentication = file /etc/passwd
accounting file = /home1/logs/tacacs+.accounting
#Must be same as router IOS "tacacs-server key"
key = C1sc0
#
user=netops {
member=operator
login=cleartext dilbert
}
user=rpadjen {
# Robert Padjen
default service=permit
login=cleartext yummy
}
group=operator {
name="Network Operator"
cmd=debug {
permit .*
}
cmd=write {
permit terminal
}
cmd=clear {
permit .*
}
cmd=show {
#permit show commands
permit .*
}
}
user=tlammle {
# Todd Lammle
member=operator_plus
login=cleartext flatshoe
}
group=operator_plus {
name="Network Operator Plus"
cmd=debug {
permit .*
}
cmd=write {
permit terminal
}
cmd=clear {
permit .*
}
#permit show commands
cmd=show {
permit .*
}
cmd=configure {
permit terminal
}
cmd=interface {
permit .*
}
cmd=shutdown {
permit .*
}
cmd=no {
permit shutdown
}
}
Numerous texts provide the details of these protocols and the features, including port numbers and encryption, available to the designer. Yet at this point, designers should be concerned only with the availability of both protocols and the knowledge that both freeware and licensed versions exist. Cisco offers their CiscoSecure product as one possible solution, and each product (including freeware, alternative vendors, and Cisco) has advantages and disadvantages. The benefit of each is that a single system can provide access control for all network devices, and the password information is not stored on the network components themselves. This design provides a slight degree of added security for the architect and greatly simplifies ongoing administration.
It is beyond the scope of this book to address all of the components necessary for designing a secure network, even if the scope is limited to the network systems themselves. Various controls on the workstation, server, databases, and other systems are all required to make a system more secure.
However, all security solutions require the presence of an accounting function. This may be part of a TACACS+ or RADIUS solution, or it may appear in the form of log files and audit trails.
The general security guidelines for accounting must include at least two componentssufficient information to reconstruct the events during the period and, ideally, a method for quickly parsing out significant events. It is extremely inefficient for administrators to manually examine the log files looking for problems. This is one of the areas in which firewalls are strong the good ones provide real-time alerts of suspicious activity and highlight and summarize general activity.
Accounting also has a benefit outside of the security arena. Designers may be asked to look at accounting to provide charge-back mechanisms and other revenue-generating services. In fact, it is likely that vendors will migrate to usage-based billing for Internet connections before 2005a move that may yield greater revenue than the current flat-rate contracts.
At present, virtual private networks (VPNs) are not included in the CID exam objectives. However, this relatively new functionality can greatly reduce costs and management issues in the network and should be considered with care by designers. Most VPN deployments build upon the basic concepts of tunneling and add security to the offering. At its simplest definition, a VPN is a tunnel between two points across an untrusted or public network. The contents of the tunnel are typically encrypted, reducing the risk that a session would be intercepted and the data compromised.
The biggest benefit of VPNs, their low cost, is the result of local points-ofpresenceusers dial a local number rather than an 800 number or a long-distance one. There is little doubt that low access costs will make VPNs a common service in the network. However, many corporations are having difficulty deploying the service for technical and political reasons. Most frequently, the political reasons involve a lack of trust regarding the security of VPNs and the reliability of using the public network for business-critical data. Many vendors now offer guaranteed service levels for VPN traffic that remains within their network.
Another advantage to VPN technology is the flexibility afforded the designer. The typical remote-access solution, which VPN is designed to replace, requires the designer and administrator to order circuits at both the local and remote ends. These circuits are usually user-specificuser A might use ISDN and user B might use analog dial-up. Even with discounts and 800 numbers, the costs for these services quickly grow and significantly add to the burdens of the support organization. It is not unheard of for users to generate monthly ISDN charges of thousands of dollars. In addition, users are limited to the remote technology deployed for them.
VPN technology simplifies this model substantially as a single point (foregoing redundancy) that can provide connectivity for an array of access methods, including cable modems, DSL, dial-up, ISDN, and Frame Relay. A wide array of protocols and methods, including the Point-to-Point Tunneling Protocol (PPTP), L2F (Layer 2 Forwarding), L2TP (Layer 2 Tunneling Protocol), and IPSec (IP Security), are available to encrypt data and provide secure virtual connections between the access points. Each technology provides different standards and benefits, including support for multiple protocols, NAT, and multicasts.
However, the landscape is changing very quickly, and readers are advised to examine vendor materials and standards documents before selecting a technology. Note that at present, though IPSec appears to be the likely VPN solution, Cisco strongly supports L2TP or a combination of L2TP and IPSec, which can provide most services except NAT. Microsofts Windows 2000 product will also support these specifications. It is important to note that IPSec supports only IP and was initially designed to provide only encryption, authentication, and key-management services.
One challenge with most of these connection technologies is key distribution. For example, a remote user wishes to activate the VPN client on his home computer and connect to the corporate VPN server. This requires a key on the client that authenticates to the server. How does that key get transmitted securely? To answer this question, designers looking at VPN technologies need to ask a few preliminary questions, including:
Previous | Table of Contents | Next |