Authentication, authorization, and accounting
One important countermeasure is our ability to control who accesses our information. Collectively, the technology that we use to implement this is known as authentication, authorization, and accounting (AAA) (pronounced triple-A). This is especially critical for remote access to corporate or private network resources.
Authentication methodologies address how each user is to be validated. How secure is this validation? Is it from one authentication database or many different databases where synchronization is required? Are user names and passwords passed in plaintext form or are they encrypted? As an example, within a RADIUS system, authentication messages are transported over UDP employing the Point-to-Point Protocol-based PAP or CHAP mechanisms to convey user name and password information to the RAS. The AAA server can also perform network operating system (NOS) authentication for the remote user for NetWare, UNIX, or Windows NT networks. Authentication messages exchanged between the AAA server and the remote client devices commonly use a hash function (like MD5) to provide for authentication and hiding of user passwords.
After authentication, a user must receive authorization to use network resources. The AAA server checks several attribute lists associated with the user’s profile for this function. The check-list attributes define a set of requirements associated with the user’s connection to the network. During authentication, the client software sends a list of check-list attributes to the server that must match the server’s list before authentication can be successful. The check-list attributes allow the network manager to enforce certain access rules; for example, some users can access the server via the Internet and others can not. Or, caller ID could be used to ensure that a caller is coming in from a legitimate, allowed source location. The return-list attributes defining additional parameters that should be assigned to the connection, usually as part of the PPP negotiation. Examples include an assigned IP or IPX address, use of IP header compression, or a connection time limit.
Lastly, accounting methodologies address the session usage issues. Who was logged in, from where did they login, what was the duration, what was the destination, how much data was exchanged and what was the session termination cause. It is typically associated with a billing or cost accounting system.
The AAA functions are being incorporated into other systems today as well. An intrustion protection system (IPS) has its base as an accounting system. The network access control systems are integrated with AAA functions. All these systems interoperate to form a cohesive security system for the enterprise.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q3/aaa.mp3%7Cdownload</mp3> | AAA|