Understanding AAA Operation In Cyber Security

AAA Operation In Cyber Security

Understanding AAA Operation In Cyber Security

 

 

A network must be designed to control who is allowed to connect to it and what they are allowed to do when they are connected. These design requirements are identified in the network security policy. The policy specifies how network administrators, corporate users, remote users, business partners, and clients access network resources. The network security policy can also mandate the implementation of an accounting system that tracks who logged in and when and what they did while logged in. Some compliance regulations may specify that access must be logged and the logs retained for a set period of time.

 

The Authentication, Authorization, and Accounting (AAA) protocol provides the necessary framework to enable scalable access security.

The table lists the three independent security functions provided by the AAA architectural framework.

AAA Component Description
Authentication
  • Users and administrators must prove that they are who they say they are.
  • Authentication can be established using a username and password combinations, challenge and response questions, token cards, and other methods.
  • AAA authentication provides a centralized way to control access to the network.
Authorization
  • After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.
  • An example is “User ‘student’ can access host server XYZ using SSH only.”
Accounting
  • Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made.
  • Accounting keeps track of how network resources are used.
  • An example is “User ‘student’ accessed host server XYZ using SSH for 15 minutes.”

This concept is similar to the use of a credit card, as indicated by the figure. The credit card identifies who can use it, how much that user can spend, and keeps an account of what items the user spent money on.

The figure shows a credit card next to a credit card statement. There is a rectangle around the numbers on the credit card with the text, Authentication Who are you? A second rectangle is around the credit limit on the credit card statement with the text, Authorization How much can you spend? A third rectangle is around the transaction portion of the credit card summary with the text Accounting What did you spend on it?

 

AAA Authentication

AAA Authentication can be used to authenticate users for administrative access or it can be used to authenticate users for remote network access.

Cisco provides two common methods of implementing AAA services.

Local AAA Authentication
Server-Based AAA Authentication

This method is sometimes known as self-contained authentication because it authenticates users against locally stored usernames and passwords, as shown in the figure. Local AAA is ideal for small networks.

a remote client connects to a AAA router, is prompted for a username and password, the router checks its local database before allowing access into the corporate network

Centralized AAA is more scalable and manageable than local AAA authentication and therefore, it is the preferred AAA implementation.

A centralized AAA system may independently maintain databases for authentication, authorization, and accounting. It can leverage Active Directory or Lightweight Directory Access Protocol (LDAP) for user authentication and group membership while maintaining its own authorization and accounting databases.

Devices communicate with the centralized AAA server using either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols.

The table lists the differences between the two protocols.

TACACS+ RADIUS
Functionality It separates authentication, authorization, and accounting functions according to the AAA architecture. This allows modularity of the security server implementation. It combines authentication and authorization but separates accounting, which allows less flexibility in implementation than TACACS+
Standard Mostly Cisco supported Open/RFC standard
Transport TCP port 49 UDP ports 1812 and 1813, or 1645 and 1646
Protocol CHAP Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) Unidirectional challenge and response from the RADIUS security server to the RADIUS client
Confidentiality Encrypts the entire body of the packet but leaves a standard TACACS+ header. Encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is unencrypted, leaving the username, authorized services, and accounting unprotected.
Customization Provides authorization of router commands on a per-user or per-group basis Has no option to authorize router commands on a per-user or per-group basis
Accounting Limited Extensive

AAA Accounting Logs

Centralized AAA also enables the use of the Accounting method. Accounting records from all devices are sent to centralized repositories, which simplifies auditing of user actions.

AAA Accounting collects and reports usage data in AAA logs. These logs are useful for security auditing. The collected data might include the start and stop connection times, executed commands, number of packets, and number of bytes.

One widely deployed use of accounting is to combine it with AAA authentication. This helps with managing access to internetworking devices by network administrative staff. Accounting provides more security than just authentication. The AAA servers keep a detailed log of exactly what the authenticated user does on the device, as shown in the figure. This includes all EXEC and configuration commands issued by the user. The log contains numerous data fields, including the username, the date and time, and the actual command that was entered by the user. This information is useful when troubleshooting devices. It also provides evidence against individuals who perform malicious actions.

The table displays the various types of accounting information that can be collected.

Type of Accounting Information Description
Network Accounting Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.
Connection Accounting Connection accounting captures information about all outbound connections that are made from the AAA client, such as by SSH.
EXEC Accounting EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.
System Accounting System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
Command Accounting Command accounting captures information about the EXEC shell commands for a specified privilege level, as well as the date and time each command was executed, and the user who executed it.
Resource Accounting The Cisco implementation of AAA accounting captures “start” and “stop” record support for connections that have passed user authentication. The additional feature of generating “stop” records for connections that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Download Our App.

            

Follow Us On Telegram
            

CEHNigeria On Google Playstore

 

 

            

GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS

 

 

Joint Our Whatsapp Group

Follow Us On Twitter and I will Follow Back

            

Follow Us On Twitter

Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.

About Adeniyi Salau 896 Articles
I am an IT enthusiast and a man of many parts. I am a Certified Digital Marketer, Project Manager and a Real Estate Consultant. I love writing because that's what keeps me going. I am running this blog to share what I know with others. I am also a Superlife Stem Cell Distributor. Our Stem Cell Products can cure many ailments.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


CommentLuv badge