Home arrow Security arrow Page 4 - Security Overview

Authentication, Authorization, and Accounting - Security

When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks. This article is chapter eight of the book, Cisco: A Beginner's Guide, third edition, by Anthony Velte and Toby Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354).

  1. Security Overview
  2. Overview of Network Security
  3. Access Servers and Dial-in Protocols
  4. Authentication, Authorization, and Accounting
  5. How AAA Works
  6. Methods and Types
  7. Method and Types Continued
  8. Dynamic Access Lists
By: McGraw-Hill/Osborne
Rating: starstarstarstarstar / 10
June 30, 2005

print this article



The framework for user-based security is called authentication, authorization, and accounting (AAA), pronounced triple-a. The AAA framework is designed to be consistent and modular in order to give network teams flexibility in implementing the enterprise’s network security policy.

NOTE: Network security systems like CiscoSecure control access to LAN segments, lines, and network applications such as HTTP and FTP. Network access devices—usually access servers and access routers—control access to these network-based services, but an additional layer of security is sometimes configured into the server platform once it is reached. For example, an IBM mainframe will enforce security policies using its own mechanisms. Security for computer platforms and major application software packages is still performed using self-contained security systems resident in the application server, in addition to the network access device security measures covered in this chapter.

Overview of the AAA Model

AAA’s purpose is to control who is allowed access to network devices and what services they are allowed to use once they have access. Here is a brief description of the AAA model’s three functional areas:

  • Authentication Validates the user’s identity as authentic before granting the login
  • Authorization Grants the user the privilege to access networks and commands
  • Accounting Collects data to track usage patterns by individual user, service, host, time of day, day of week, and so on

Thankfully, the acronym makers put the three functions in sequential order, making the AAA concept easier to pick up: first, you’re allowed to log in (your identity is authenticated); then you have certain privileges to use once you’re in (you have predetermined authorizations); and finally, a running history is kept on what you do while logged in (the network team keeps an account of what you do).

The philosophy is to let network teams enforce security policy on a granular basis. Most AAA parameters can be put into effect per LAN segment, per line (user), and per protocol—usually IP.

AAA is a clearly defined security implementation framework that everybody can understand. The architecture is defined down to the command level. Indeed, the AAA concepts are actual IOS commands. Starting an AAA process on a Cisco device involves using the aaa prefix followed by one of the three root functions, such as aaa authentication. A whole AAA command line might read aaa authentication ppp RemoteWorkers tacacs+ local, for example. The purpose of AAA is to provide the client-side command structure on which CiscoSecure relies.

AAA Modularity

A security policy is a set of principles and rules adopted by an enterprise to protect system resources, confidential records, and intellectual property. It’s the network manager’s responsibility to implement and enforce the policy, but in the real world, security policy can get dragged down into the mire of office politics, budget constraints, and impatience. An end-user manager can have a lot of clout as to how the policy will be conducted on his or her turf. After all, the company, not the IT department, funds the network. Consequently, there can be a lot of variance among security policies—even within an enter-prise’s internetwork.

This means that security policies must be highly adaptable. CiscoSecure tries to satisfy this need with modularity—the ability to separately apply security functions by secured entity, independent of how they are applied to other resources. The AAA architecture gives you the option to implement any of the three functions independent of the other two. This includes whether they’re activated on a device, which security protocol is used, and what security server or user database is accessed.

Authentication Controls The aaa authentication command validates a user’s identity at login. But once you’re authenticated, exactly what can you access? That depends on the type of access being made:

  • If you’re a network administrator logging into a switch to tweak its config file, the authentication gets you into that switch’s IOS command prompt.
  • If you’re an employee sitting inside the enterprise and you were authenticated by a router, you get into a protected host to run Windows or browser-based internetwork client-server applications.
  • If you’re a telecommuter and an access server authenticated you, you’re admitted to your enterprise’s internetwork to run the same client-server applications.
  • If you dialed into the Internet from home, as a member of the general public, you were authenticated by one of your ISP’s many access servers, and you enter the World Wide Web.

Security must protect three destination environments: the Internet, the internetwork, and, most of all, the internal operating system of the devices over which internetworks run. Figure 8-3 illustrates access types and destination environments.

The scenario of the network administrator logging into IOS devices is unique. In Cisco internetworks, that type of access is usually authenticated using TACACS+. Other types of access open into a Windows-or HTTP-based application service. Network administrators access a device’s IOS environment in order to perform device maintenance tasks.

Users also require different dial-in services. Although almost everybody uses PPP nowadays, there still can be different requirements. Depending on the local network from which the call is made, different PPP services may be required, such as IP, IPX, NetBEUI, or just a plain terminal connection.

Whatever the issues may be, different requirements often call for a variety of authentication methods to be used in the same internetwork. CiscoSecure lets the network manager employ any of the major dial-in protocols and authentication techniques. In addition, it supports the ability to apply these different tools by network interface or line—even on the same device.

Figure 8-3.  User authentication takes place in four scenarios that open into three worlds.

Authorization Controls  AAA authorization limits services to the user. In other words, if authorization has been activated on a secured entity using the aaa authorization command users must be explicitly granted access to it.

The person’s user profile is usually stored in the security server and sometimes also in the device’s local user database. When the administrator logs into the device and his or her user profile is checked, the device configures the authorizations to know what commands to allow the administrator to use during that session. Commands can be authorized by IOS command mode (the MyRouter> versus MyRouter# prompts) or by specific commands within a mode. Figure 8-4 lays out some of the various forms authorizations can take. Authorization can be more complicated than authentication. After you’ve been authenticated,the security server must supply the access device configuration information specific to the user—for example, which networks the user may access, which applications may be run, which commands are okay to use, and so on. Without centralized maintenance of authorization information, it wouldn’t be practical to assign authorizations byuser. (It’s hard enough just to keep usernames and passwords up-to-date.)

Accounting Controls  Accounting doesn’t permit or deny anything, but instead keeps a running record of what users do.AAAaccounting is a background process that tracks the person’s logins and network use. Figure 8-5 shows how AAA security accounting tracks resource usage.

Figure 8-4.  Authorization can be enforced by network, command mode, and even by command.

Figure 8-5.  AAA accounting is a background process that tracks a user's network activity.

NOTE:  By default, AAA defines IOS as having two command modes: the user EXEC mode (sometimes also called Shell) and the privileged EXEC modes. The IOS level command can be used to further divide things up into 16 command levels (numbered 0–15), so access to commands can be authorized on a more fine-grained basis.

Trends Leading to Client-Server Security Systems

As with most network control systems, AAA uses the client-server model to manage security. In other words, there is a central security server holding the user profile information used by client access devices to enforce security. When a user makes a request to connect to a network, line, or service, the client device queries the server to check if it’s okay. Centralization is necessary because it’s no longer feasible to administer security one access device at a time; there are simply too many of them to keep track of.

In the 1970s, a natural by-product of remote users dialing into central mainframes was that user security profiles (accounts, passwords, and authorizations) were stored right there on the same computer where all the services sat. This made it easy for the security system to check on user permissions. Then, in the 1980s, departmental minicomputers became popular, spreading computers out into the organization. Terminal servers were invented to provide the additional entry points the distributed topologies required, but user databases were now spread across many access devices—making it much tougher to maintain the security system. By the time IP-based networking took off, it became apparent that security information had to be centralized. Figure 8-6 depicts this trend.

The rise of internetworking demands that an enterprise offer dial-in access throughout the organization. Doing so presents problems for enforcing consistent security controls across so many access servers. The AAA architecture is Cisco’s game plan for meeting these challenges.

AAA’s Two Security Protocols: TACACS+ and RADIUS

It’s possible to use AAA security on a stand-alone basis, with no central security database. In the real world, few do this because it would require the extra effort of maintaining security parameters on a device-by-device basis—a labor-intensive and mistake-prone proposition. IOS supports stand-alone security because, in some cases, a security server is unavailable—for example, in a very small internetwork or during the period of time when a security server is being implemented but is still not operable.

AAA configures access devices as clients. Client devices include access servers, routers, switches, and firewalls. The clients query one or more security servers to check whether user connections are permitted. To do this, a protocol is needed to specify rules and conventions to govern the exchange of information. AAA security can use two protocols to handle client-server security configurations:

  • RADIUS A security protocol used mainly for authentication. RADIUS stands for Remote Authentication Dial-in User Service. RADIUS is an industry standard under the auspices of the IETF.
  • TACACS+ A proprietary Cisco protocol that is largely the equivalent of RADIUS, but with stronger integration of authorization and accounting with authentication. TACACS stands for Terminal Access Controller Access Control System. Cisco has submitted TACACS+ to the IETF for consideration as a security protocol standard.

Figure 8-6.  Security systems have evolved along with the computing industry.

NOTE: There is a third security protocol called Kerberos. Developed at MIT, Kerberos is an emerging open standard for secret-key authentication that uses the Data Encryption Standard (DES) cryptographic algorithm. Microsoft, for example, integrated Kerberos into Windows 2000. Although more difficult to implement and administer, Kerberos is gaining in popularity in internetworks more sensitive to security. Its key benefits are that it can function in a multivendor network like RADIUS, but it doesn’t transmit passwords over the network (it passes so-called tickets instead). IOS includes Kerberos commands in its AAA framework.

>>> More Security Articles          >>> More By McGraw-Hill/Osborne

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: