Authentication Best Practices

The method used for authentication in this book is local security appliance database authentication, which is an excellent way to demonstrate the configuration capabilities of ASDM and the ASA/PIX Security Appliance. Chapter 7, "Deploying Authentication," mentioned several times that there are some advantages to authenticating with a AAA server. The Cisco AAA server is called Cisco Access Control Server (or Cisco ACS).

AAA offers not only authentication, but also authorization and accounting. Authentication validates username and password credentials before allowing user, and sometimes device, access. Authorization is the control of what users can do after they have been authenticated to a device. Accounting keeps track of how long a person has been logged on to a device and, if authorization is being used, can even track what a user did while he had access to the device. These functions can prove helpful if you need to track changes on devices in your networks.

One topic that wasn't discussed is one-time password authentication (OTP), which is available via AAA. OTP allows a user to log on to a device only once per password. Under this technology, passwords are tokens that are generated via token cards or token software that runs on a PC. This password method is among the best because it doesn't matter whether a password is sniffed on the network; it's only good for one attempt in 30 or 60 seconds, depending on the token vendor.

The other thing mentioned several times in this book is the format for usernames and passwords. It's very important to use hard-to-guess usernames and passwords. Several "excellent" freeware password-cracking tools are available on the Internet. These tools usually start guessing usernames and passwords using words from dictionaries and then going into sequential algorithms. If someone gains a copy of your Microsoft password database or your UNIX or Linux password file, he will usually run these files through his password crackers and be able to obtain several passwords in a matter of hours if best practice naming has not been followed. Therefore, you should always use passwords (and usernames if you can do it) that have a combination of the following attributes:

• At least eight characters (ten preferably)

• Uppercase characters

• Lowercase characters

• Numerals

• Special characters

By following these guidelines, you exponentially increase the amount of time it takes a password cracker to decode your passwords.

Another thing you want to do with passwords is change them often. This is a policy decision for each administrator. Changing passwords frequently, such as once every 60 days, is a good policy.

AAA is also capable of expiring passwords at user-defined intervals and enforcing policy such as password length so that users cannot choose the length of their own password.

A best practice that many administrators are using is running their own password crackers against their password databases and notifying users if their password is easily guessed.

An effective way to mitigate brute-force or dictionary password attacks is to enforce password lockouts, which disable (or lock an account) after five failed attempts.