Title: First Slide in a Presentation
Download
Report
Transcript Title: First Slide in a Presentation
CNIT 221 Security 1 ver.2
Module 6
City College of San Francisco
Spring 2006
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 6 – Configure Trust and Identity
at Layer 3
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
• 6.1 Cisco IOS Firewall Authentication Proxy
• 6.2 Introduction to PIX Security Appliance AAA
Features
• 6.3 Configure AAA on the PIX Security Appliance
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 6 – Configure Trust and
Identity at Layer 3
6.1 Cisco IOS Firewall Authentication
Proxy
© 2005 Cisco Systems, Inc. All rights reserved.
4
What Is the Authentication Proxy?
– HTTP, HTTPS, FTP, and Telnet authentication
– Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS protocols
– Once authenticated, all types of application traffic
can be authorized
– Works on any interface type for inbound or
outbound traffic
© 2005 Cisco Systems, Inc. All rights reserved.
5
Cisco IOS Firewall Authentication Proxy
• The Cisco IOS Firewall authentication proxy feature
enables network administrators to apply specific
security policies on a per-user basis
• With the authentication proxy feature, users can log
in to the network or access the Internet via HTTP,
HTTPS, FTP, or Telnet
• User access profiles are automatically retrieved
and applied from a Cisco Secure Access Control
Server (ACS) or other authentication server.
© 2005 Cisco Systems, Inc. All rights reserved.
6
IOS Firewall Proxy Example
When a user initiates an HTTP, HTTPS, FTP, or Telnet session
through the firewall, it triggers the authentication proxy
© 2005 Cisco Systems, Inc. All rights reserved.
7
Supported AAA Servers
•TACACS+
Cisco Secure
ACS NT/2000
Cisco Secure
ACS UNIX
TACACS
+
Freeware
© 2005 Cisco Systems, Inc. All rights reserved.
•RADIUS
Cisco Secure
ACS NT/2000
Cisco Secure
ACS UNIX
Lucent
8
Authentication Proxy Operation
• Users must successfully authenticate with the
authentication server by entering a valid username
and password.
• The authentication proxy uses the information in
this profile to create dynamic access control entries
(ACEs).
• The authentication proxy sets up an inactivity, or
idle, timer for each user profile
© 2005 Cisco Systems, Inc. All rights reserved.
9
Create auth-proxy Service
in the Cisco Secure ACS
Enter the new
service:
auth-proxy.
© 2005 Cisco Systems, Inc. All rights reserved.
10
AAA Server Configuration
© 2005 Cisco Systems, Inc. All rights reserved.
11
Authentication Proxy Configuration
• The authentication proxy is applied in the inward
direction at any interface on the router where peruser authentication and authorization occurs.
• Applying the authentication proxy inward at an
interface causes it to intercept a user’s initial
connection request.
• Users are authorized for services only after
successful authentication with the AAA server.
© 2005 Cisco Systems, Inc. All rights reserved.
12
AAA Configuration – Enable AAA
Router(config)#
aaa new-model
– Enables the AAA functionality on the
router (default = disabled)
© 2005 Cisco Systems, Inc. All rights reserved.
13
Specify Authentication Protocols
Router(config)#
aaa authentication login default method1 [method2]
– Defines the list of authentication methods that
will be used
– Methods: TACACS+, RADIUS, or both
Router(config)# aaa authentication
login default group tacacs+ | radius
© 2005 Cisco Systems, Inc. All rights reserved.
14
Specify Authorization Protocols
Router(config)#
aaa authorization auth-proxy default method1
[method2]
– Use the auth-proxy keyword to enable authorization
proxy for AAA methods
– Methods: TACACS+, RADIUS, or both
Router(config)# aaa authorization auth-proxy
default group tacacs+
© 2005 Cisco Systems, Inc. All rights reserved.
15
Define a TACACS+ Server and Its Key
Router(config)#
tacacs-server host ip_addr
–Specifies the TACACS+ server IP address
Router(config)#
tacacs-server key string
–Specifies the TACACS+ server key
Router(config)# tacacs-server host 10.0.0.3
Router(config)# tacacs-server key secretkey
© 2005 Cisco Systems, Inc. All rights reserved.
16
Define a RADIUS Server and Its Key
Router(config)#
radius-server host ip_addr
–Specifies the RADIUS server IP address
Router(config)#
radius-server key string
–Specifies the RADIUS server key
Router(config)# radius-server host 10.0.0.3
Router(config)# radius-server key secretkey
© 2005 Cisco Systems, Inc. All rights reserved.
17
Allow AAA Traffic to the Router
Router(config)# access-list 111 permit tcp host
10.0.0.3 eq tacacs host 10.0.0.1
Router(config)# access-list 111 permit icmp any any
Router(config)# access-list 111 deny ip any any
Router(config)# interface ethernet0/0
Router(config-if)# ip access-group 111 in
–
Create an ACL to permit TACACS+ traffic from the AAA server to the firewall
•
Source address = AAA server
•
Destination address = interface where the AAA server resides
–
May want to permit ICMP
–
Deny all other traffic
–
Apply the ACL to the interface on the side where the AAA server resides
© 2005 Cisco Systems, Inc. All rights reserved.
18
Enable the Router HTTP or HTTPS Server
Router(config)#
ip http server
–Enables the HTTP server on the router
Router(config)#
ip http authentication aaa
–Sets the HTTP server authentication method to AAA
–Proxy uses HTTP server for communication with a client
Router(config)#
ip http secure-server
– Enables the HTTPS server on the router
Router(config)# ip http server
Router(config)# ip http authentication aaa
© 2005 Cisco Systems, Inc. All rights reserved.
19
Set Global Timers
Router(config)#
ip auth-proxy {inactivity-timer min |
absolute-timer min}
– Authentication inactivity timer in minutes (default = 60 minutes)
– Absolute activity timer in minutes (default = 0 minutes)
Router(config)# ip auth-proxy inactivitytimer 120
© 2005 Cisco Systems, Inc. All rights reserved.
20
Define and Apply Authentication Proxy
Rules
Router(config)#
ip auth-proxy name auth-proxy-name {ftp | http
| telnet} [inactivity-time min] [absolutetimer min][list {acl | acl-name}]
–Creates an authorization proxy rule
Router(config-if)#
ip auth-proxy auth-proxy-name
–
Applies an authorization proxy rule to an interface
•
For outbound authentication, apply to inside interface
•
For inbound authentication, apply to outside interface
Router(config)# ip auth-proxy name aprule http
Router(config)# interface ethernet0
Router(config-if)# ip auth-proxy aprule
© 2005 Cisco Systems, Inc. All rights reserved.
21
Authentication Proxy Rules with ACLs
Router(config)#
ip auth-proxy name auth-proxy-name http list
{acl-num | acl-name}
–Creates an authorization proxy rule with an access list
Router(config)# ip auth-proxy name aprule http list 10
Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255
Router(config)# interface ethernet0
Router(config-if)# ip auth-proxy aprule
An authentication proxy rule can be associated with an ACL,
providing control over which hosts use the authentication proxy.
© 2005 Cisco Systems, Inc. All rights reserved.
22
Module 6 – Configure Trust and
Identity at Layer 3
6.2 Introduction to PIX Security
Appliance AAA Features
© 2005 Cisco Systems, Inc. All rights reserved.
23
Types of Authentication
•
Three types of authentication are available on the
PIX Security Appliance:
1. Access authentication
2. Cut-through proxy authentication
3. Tunnel access authentication
© 2005 Cisco Systems, Inc. All rights reserved.
24
Types of Authentication
•
For cut-through proxy authentication, the PIX Security
Appliance can be configured to require user authentication
for a session through the PIX, as specified in the aaa
authentication command.
– Only Telnet, FTP, HTTPS, and HTTP sessions can be
intercepted to authenticate users.
•
Once authenticated, the PIX then shifts the session flow and
all traffic flows directly between the server and the client
while maintaining session state information.
•
For tunnel access authentication, the PIX Security Appliance
can be configured to require a remote tunnel user to
authenticate prior to full tunnel establishment.
© 2005 Cisco Systems, Inc. All rights reserved.
25
Types of Authentication
© 2005 Cisco Systems, Inc. All rights reserved.
26
AAA Server Support
• The PIX Security Appliance supports authentication
and authorization using its own local server, an
internal database, or an external AAA server.
–Accounting is tracked on an external accounting server.
• The protocol for communications between the PIX
Security Appliance and an external AAA sever
varies by AAA feature. – see next figure
© 2005 Cisco Systems, Inc. All rights reserved.
27
AAA Server Support
© 2005 Cisco Systems, Inc. All rights reserved.
28
Module 6 – Configure Trust and
Identity at Layer 3
6.3 Configure AAA on the PIX Security
Appliance
© 2005 Cisco Systems, Inc. All rights reserved.
29
Types of Access Authentication
© 2005 Cisco Systems, Inc. All rights reserved.
30
Remote PIX Access
• Telnet access to the Security appliance console is
available from any internal interface
• Telnet access to the outside interface is only
available thorugh an IPSec tunnel.
• SSH access to the Security appliance console is
available from any interface.
© 2005 Cisco Systems, Inc. All rights reserved.
31
Authentication Configuration Steps
© 2005 Cisco Systems, Inc. All rights reserved.
32
Add Users to the Local User Database
© 2005 Cisco Systems, Inc. All rights reserved.
33
Cut-Through Proxy
© 2005 Cisco Systems, Inc. All rights reserved.
34
Authentication of Non-Telnet, FTP, or HTTP
Traffic
© 2005 Cisco Systems, Inc. All rights reserved.
35
Virtual Telnet
© 2005 Cisco Systems, Inc. All rights reserved.
36
Virtual HTTP
© 2005 Cisco Systems, Inc. All rights reserved.
37
User Authorization
© 2005 Cisco Systems, Inc. All rights reserved.
38
Downloadable ACLs
© 2005 Cisco Systems, Inc. All rights reserved.
39
Enable Accounting Match
© 2005 Cisco Systems, Inc. All rights reserved.
40
Admin Accounting
© 2005 Cisco Systems, Inc. All rights reserved.
41
Command Accounting
© 2005 Cisco Systems, Inc. All rights reserved.
42
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
43
43