Chapter 6. Authentication, Authorization, and Accounting

An important part of network security is authentication, authorization, and accounting, collectively known as AAA. AAA is a framework, similar to the security models discussed in Chapter 2, in which an administrator can maintain access control over network devices.

AAA covers access control over routers, switches, firewalls, servers, and so forth. Just about any network device that is not a workstation, and allows remote access, can fall under AAA policies. AAA is not a protocol in and of itself; instead, it is a set of guidelines promoted by the IETF that outlines how access protocols should behave to optimize their security benefits.

The most commonly used protocols associated with AAA are Kerberos, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System+ (TACACS+). These will be discussed shortly.

By providing a framework for access control, AAA offers a network administrator a way to apply a standard policy across all network devices. This type of standard policy has two benefits: It gives the network administrator the ability to centralize all accounting information, and it creates a standard of access that can be applied evenly across the network.

The AAA framework, in networks where it is necessary, allows for the comingling of different types of authentication, not only within the network, but also on the same network interface. AAA, as with any good security model, provides a network administrator with a great deal of flexibility. It fits around an existing network, rather than forcing the network into a rigid security model.

Figure 6.1 demonstrates how an AAA accounting model would fit into the network that is currently being built. AAA services generally reside on remote machines, so if a network device is compromised, and consequently the validity of its own logs are questionable, there is an independent record of access times, and possibly changes made to the device.

The AAA process is somewhat complex, and it allows a network administrator to set multiple levels of control. Referring to Figure 6.1 again, an administrator logs into a router, the router sends a message to the AAA server (either a RADIUS or TACACS+ authentication message) asking the AAA server to authenticate this user. The AAA server authenticates the user and can let the router know what level of access the user has. The router can send updates to the AAA server detailing what changes the administrator makes.

While logged into the router, the administrator decides to log into the DNS server, which sends a message to the AAA server asking it to authenticate the administrator. Even though the DNS server is running on a different platform than the router, because the AAA server relies on standard protocols for authentication, it can perform the same authentication and tracking functions for the DNS server.

It is important to emphasize that the AAA model creates a framework in which protocols like Kerberos, RADIUS, and TACACS+ can develop so they can be standardized and ported to multiple platforms. From an administrator's perspective this framework allows you to standardize on one AAA protocol across the entire network, or select multiple protocols knowing that they will support similar behaviors.

Each aspect of the AAA framework has specific functions and has to meet certain requirements before a protocol can be considered AAA compliant.

Authentication is the process in which a user is identified on a device. This includes the username and password process and the type of encryption ”if any ”that is used during the authentication process. The purpose of authentication is to restrict access to network devices, so authentication has to occur before a user can gain access to a device. Authentication is defined on a per-interface basis. Multiple forms of authentication are supported on each interface; however, a default authentication can be assigned to all interfaces.

Authorization is the user profile. It is what determines the level of access, or what services to which a user has access. Authorization can be defined in a couple of ways. If the authorization policy for each user is going to be consistent throughout the network, then the authorization policy can be defined on the AAA server. If the authorization policy is going to vary from device to device, then the authorization policy can be defined on the individual network device. For example, a network administrator may want to define different policies for routers and servers, or a web developer may need full access to the web server, but only limited access to the DNS server. Authorization policy does not have to be limited to each user. It can be defined on a per- group basis, with different groups having different privileges.

Controlling who logs in, and what privileges they have when logged in, is not enough. You also have to be able to monitor what they do while logged in, which is where accounting is important. Accounting allows a network administrator to monitor the times an account was logged in, the commands issued while logged in, resources used, and data transferred. Accounting features can add a lot of overhead to your network; however, the additional information can be invaluable when trying to track down either an internal or external attacker as the AAA accounting server has a complete record of the moves an attacker made.