Complete Guide to IP security (IPSec), TACACS and AAA Network Access Security Protocols:
In previous tutorial, we learned about HTTP and DHCP Protocols in detail and we also learned more about the working of the protocols present at different layers of the TCP/IP model and the ISO-OSI reference model.
Here, we will get to know how to get access to distinctive networks and what kind of authentication process will be followed by the end users to reach a particular network and access its resources and services with the help of the security protocols.
Recommended Read => Guide to Computer Networking
There are hundreds of standards and protocols for authentication, encryption, security, and network access. But here we are discussing only a few of the most popularly used protocols.
What You Will Learn:
What is IP security (IPSec)?
IPSec is a security protocol which is used to provide security at the network layer of the networking system. IPSec authenticates and encrypts the data packets over an IP network.
Features of IPSec
- It guards the overall data packet produced at the IP layer inclusive of the higher layer headers.
- IPSec works in between two different networks, therefore, adoption of security features is easier to implement without making any changes in the running applications.
- Provisions host-based security as well.
- The most frequent task of IPSec is to secure VPN network (a virtual private network) between two different network entities.
- The source and destination nodes can transmit messages in the encrypted form and thus facilitate the confidentiality of data packets.
- Maintains data authentication and integrity.
- Provisions protection against virus attacks through key management.
Operation of IPSec
- The working of IPSec is divided into two sub-parts. The first one is IPSec communication and the second one is Internet key exchange (IKE).
- The IPSec communication is accountable for managing secure communication between two exchange nodes by using security protocols like authentication header (AH) and Encapsulated SP (ESP).
- It also includes functions such as encapsulation, encryption of data packets and processing of IP datagram.
- IKE is a kind of key management protocol which is utilized for IPSec.
- This is not a necessary process as key management can be performed manually but for huge networks, IKE is deployed.
IPSec Communication Modes
There are two kinds of communication modes, i,e. transport, and tunnel mode. However, as transport mode is held back for point to point communication, the tunnel mode is most widely deployed.
In the tunnel mode, the new IP header is added in the data packet and it is encapsulated before we introduce any security protocol. In this, through a single gateway, multiple sessions of communications can be entertained.
The data flow in the tunnel mode is shown with the help of the below diagram.
Security protocols are used to meet security requirements. Various security associations are built up and maintained between two nodes using security protocols. The two kinds of security protocols used by IPSec include authentication header (AH) and encapsulating security payload (ESP).
Authentication Header (AH): Its provisions the authentication by imposing AH into the IP data packet. The place where the header unit should be added is based on the mode of communication used.
The working of AH is based on the hashing algorithm and a classified key which can also be decoded by the end-user nodes. The processing is as follows:
- From the help of SA (security association) the source and destination IP information is gathered and which security protocol is going to be deployed are also known. Once it’s become clear, that AH will be deployed, and the header is used to determine the value of detailed parameters.
- The AH is of 32-bits and parameters like sequence parameter index and authentication data in association with SA will deliver the protocol flow.
AH Authentication Process
Encapsulation Security Protocol (ESP): This protocol is capable of provisioning the security services which are not characterized by the AH protocol like privacy, reliability, authentication and replay resistance. The series of services granted depends upon the options chosen at the instance of SA initiation.
The process of ESP is as follows:
- Once it has been identified that ESP is going to be used, the various parameters of headers are calculated. The ESP has two important fields, i.e. ESP header, and ESP trailer. The overall header is of 32-bits.
- The header has the security parameter index (SPI) and sequence number while the trailer has the fields padding length, next header specification and most importantly authentication data.
- The below diagram is shown how encryption and authentication are provided in ESP using tunnel communication mode.
- The encryption algorithms used include DES, 3DES, and AES. The others can also be used.
- The secret key should be known both at the sending end and receiving end so that they can extract the desired output from them.
ESP Authentication Process
Security Association in IPSec
- SA is an integral part of IPSec communication. The virtual connectivity between the source and the destination host is set up before the exchange of data between them, and this connection is called security association (SA).
- SA is a combination of parameters like finding out encryption and authentication protocols, secret key and sharing them with two entities.
- SA’s are recognized by the security parameter index (SPI) number which is present in the header of the security protocol.
- The SA is distinctively identified by the SPI, destination IP address and a security protocol identifier.
- The SPI value is an arbitrary evolved number which is used to map the incoming data packets with the recipient's one at the receiver end so that it will become simple to identify the different SA’s reaching the same point.
TACACS (Terminal Access Controller Access Control System)
It is the oldest protocol for the authentication process. It was used in UNIX networks which permits a remote user to pass on the login username and password to an authentication server to evaluate the access granted to the client host or not in a system.
The protocol uses the port 49 of TCP or UDP by default and it permits the client host to acknowledge the username and password and forward a query to the TACACS authentication server. The TACACS server is known as TACACS daemon or TACACSD which finds out whether to allow and deny the request and reverts with a response.
On the basis of the response, the access is granted or denied and the user can log in by using dial-up connections. Thus the process of authentication is dominated by the TACACSD and is not very much in use.
Therefore TACACS is switch over by TACACS+ and RADIUS which are been used in most of the networks these days. TACACS uses the AAA architecture for authentication and distinct servers are used to complete each process involved in authentication.
TACACS+ works on TCP and connection-oriented protocol. TACACS+ encrypts the whole data packet before transmitting thus it is less prone to virus attacks. At the remote end, the secret key is used to decrypt the whole data into the original one.
AAA (Authentication, Authorization, and Accounting)
This is a computer security architecture and various protocols follow this architecture for providing authentication.
The working principle of these three steps are as follows:
Authentication: It specifies that the user client who is requesting for a service is a bonafide user. The process is carried out by presenting credentials like a one-time password (OTP), digital certificate or via telephonic call.
Authorization: Based on the type of service permitted to the user and based on the user restriction, the authorization is granted to the user. The services include routing, IP allocation, traffic management etc.
Accounting: Accounting is deployed for management and planning purposes. It contains all the necessary information like when a particular service will start and end up, the identity of the user and the services used, etc.
The server will provide all the above services and deliver it to the clients.
AAA Protocols: As we know, in the past TACACS and TACACS+ were used for the authentication process. But now there is one more protocol known as RADIUS which is AAA based and is used widely all over in the networking system.
Network Access Server: It is a service component that acts as an interface between the client and dial-up services. It is present at the ISP end to provides access of internet to its users. NAS is also a solo point of access for remote users and also acts as a gateway to protect the resources of the network.
RADIUS Protocol: RADIUS stands for remote authentication dial-in user service. It is basically used for applications like network access and IP mobility. The authentication protocols like PAP or EAP are deployed to authenticate subscribers.
RADIUS works on the client-server model that operates on the application layer and uses TCP or UDP port 1812. The NAS which act as gateways to access a network includes both the RADIUS client as well as RADIUS server components.
The RADIUS works on AAA architecture and thus uses two packet-type message formats to accomplish the process, an access request message for authentication and authorization and accounting-request for supervising accounting.
Authentication and Authorization in RADIUS:
The end user sends a request to NAS seeking access to the network by making use of the access credentials. Then the NAS forwards a RADIUS access request message to the RADIUS server, by raising permission for access to the network.
The request message comprises of access credentials like username and password or digital signature of the user. It also has other data like IP address, phone number of user etc.
The RADIUS server examines the data using authentication methods like EAP or PAP. After confirming the credential information and other relevant data the server reverts back with this response.
#1) Access reject: The access is rejected as the identity proof or login ID submitted is not valid or expired.
#2) Access Challenge: Apart from the basic access credential data, the server requires other information as well to grant access like OTP or PIN number. It is basically used for more sophisticated authentication.
#3) Access-Accept: The access permission has been given to the end user. After the authentication of the user, the server on a regular interval of time examines whether the user is authorized to use the network services asked for. Based on the settings, the user may be allowed to access a particular service only and not the others.
Every RADIUS response also has a reply-message attribute which presents the reason for rejection or acceptance.
The authorization attributes like the user’s network address, type of service granted, the time duration of the session also pass on to the NAS after the access is granted to the user.
After the access is granted to the user to login into the network, the accounting part comes into the picture. To denote the initiation of user’s access to the network a RADIUS accounting request message which consists of ”start” attribute is sent by the NAS to the RADIUS server.
The start attribute mainly consists of the user’s identity, session start and end time and network related information.
When the user wants to close the session, the NAS will publish a RADIUS accounting request message which consists of a “stop” attribute to stop the access to the network to the RADIUS server. It also provides the motive for disconnect and final usage of data and other services of the network.
In return, the RADIUS server sends the accounting response message as the acknowledgment to turn-off the services and terminates the access of the user to the network.
This part is mostly used for applications where statistics and data monitoring is required.
In the meantime, in between the flow of RADIUS request and response message attributes, the NAS will also send “interim-update” request attributes to the RADIUS server to update the network with some latest necessary data.
It is one of the basic standard protocols to control network access in a system.
The scenario of the authentication process involves an end device which is known as a supplicant, who initiates the request for service, the authenticator and the authentication server. The authenticator acts as a safeguard to the network and allows access to the requesting client only once until the identification of the user has been verified.
The detailed working of this protocol is explained in the part-2 of this tutorial.
From this tutorial, we have learned how to get authentication, authorization and provisions security to the network with the help of the above-mentioned protocols.
We have also analyzed that these protocols make our networking system secure from unauthorized users, hackers and virus attacks and make an understanding of AAA architecture.
Deep knowledge on 802.1X protocol and 802.11i protocol which clearly specifies the fact on how the access of the user to a network can be controlled to provide only limited access to a classified network.