Page 173 - StudyBook.pdf
P. 173
Communication Security: Remote Access and Messaging • Chapter 3 157
RAS authenticates a user, which means they determine who a user is.A RAS also
authorizes the functions the authenticated user may perform.A RAS logs the
actions of the user for the duration of the connection. RADIUS was designed to
handle the authentication and authorization of dial-in users.
RADIUS is the most popular of all the AAA servers, which include RADIUS,
TACACS,TACACS+, and DIAMETER.TACACS is another RAS developed
during the days of ARPANET.Although TACACS offers authentication and autho-
rization, it does not offer any accounting tools.TACACS+ is a proprietary version
of TACACS that was developed by Cisco.TACACS+ is considered proprietary
because the packet formats are completely different from those in either TACACS
or XTACACS, making it incompatible with previous versions.TACACS+ is cred-
ited with separating the AAA functions. Unlike previous versions (as well as
RADIUS) that used one database for AAA,TACACS+ uses individual databases for
AAA.TACACS+ was the first revision to offer secure communications between the
TACACS+ client and the TACACS+ server.Another difference between RADIUS
and TACACS is that TACACS+ uses TCP as its transport instead of UDP.
Another tool that can be used to secure remote communications is SSH. SSH is
a cryptographically secure replacement for standard Telnet, rlogin, RSH, and RCP
commands. It consists of both a client and server that use public-key cryptography
to provide session encryption. It also provides the ability to forward arbitrary ports
over an encrypted connection. SSH is concerned with the confidentiality and
integrity of the information being passed between the client and the host. Using
SSH helps protect against many different types of attack, including packet sniffing,
IP spoofing, and the manipulation of data by unauthorized users.
There are several vulnerabilities that can be exploited in RAS. Eavesdropping
occurs when an attacker simply attaches themselves to a network in a manner that
allows users to “hear” all of the traffic being passed over the wire. In data modifica-
tion, data is intercepted by a third party (one that is not part of the initial commu-
nication), modified, and sent through to the originally intended recipient. In an IP
spoof attack, a hacker will listen on a public network (such as the Internet) and
examine packets until they believe they have found a trusted host that is allowed to
pass data through the firewall. Once the hacker finds this address, they can begin
creating packets and sending them to the target network as if from a trusted
address. Users who write passwords on sticky notes and put them on their monitor,
leave their workstation without locking it with a screensaver, or allow other people
to watch while they are entering their usernames or passwords, are often the easiest
victims of these attacks.
www.syngress.com
