Authentication, Authorization, and Accounting - CompTIA Security+ SY0-701 - 1.2

00:01

We're all very familiar with the login process.

00:04

You put in your username, your password.

00:07

There might be some additional authentication factors.

00:09

And if all of those are correct, you

00:11

gain access to resources on that system.

00:14

This process begins with identification,

00:17

where you claim to be a particular user on that system.

00:21

The check between your username, your password,

00:24

and the other authentication factors

00:25

is referred to as authentication.

00:28

This proves that we really are who

00:30

we say we are because we knew the secret password,

00:34

or we had some additional authentication factors

00:37

that we could use to help prove that we are that person.

00:40

Now that we've identified who we are,

00:42

we now need to determine what type of access we have.

00:46

And that's done through authorization.

00:48

If we're part of the shipping and receiving department,

00:51

then we should have access to systems that should only

00:53

be available to shipping and receiving,

00:55

and we should not have access to information that might

00:58

be in the finance department.

01:00

And of course, all security systems

01:02

need to have a log of exactly what happened.

01:05

So we need to know what time someone logged in,

01:08

how much data may have been sent or received, and what time.

01:11

This person logged out.

01:13

We refer to this entire system as the AAA framework.

01:17

And this refers to Authentication, Authorization,

01:21

and Accounting.

01:22

Let's have a look at a practical example of using AAA.

01:26

We're going to use the example of logging in to a VPN server.

01:30

In this case, it would be a firewall or VPN

01:32

concentrator in the middle.

01:34

You're on one side of that concentrator,

01:37

and you need to use AAA to gain access to an internal file

01:40

server.

01:41

So we'll start with our client on the internet.

01:43

And we'll access the VPN concentrator,

01:46

which prompts us for a login.

01:48

So we're going to provide a username and password

01:51

and send that information over to the VPN concentrator.

01:54

The concentrator itself doesn't have any information

01:58

about usernames, passwords, authentication factors,

02:01

or anything else.

02:03

And in most organizations, all of that information

02:05

is stored on a central server.

02:07

And we refer to that as AAA server.

02:11

This AAA server is going to receive the request

02:13

from the VPN concentrator, asking

02:16

if the username, password, and other information that

02:18

was provided matches some type of user in the database.

02:22

And if the match is true, it sends back

02:25

information to the concentrator and says

02:27

those credentials are approved.

02:29

At that point, the concentrator knows that we really

02:32

are the person we claim to be, and it

02:34

allows us access into the internal file server.

02:38

As a security professional, you'll

02:40

be responsible for managing the security on hundreds or perhaps

02:44

even thousands of separate systems.

02:46

And in many cases, you'll never have physical access

02:49

or even be able to see where those systems might

02:52

be because they may be located anywhere in the world.

02:56

So the question now becomes, how can we

02:58

verify that a computer trying to connect to our network

03:01

is a computer that's authorized to be on our network?

03:05

This computer by itself obviously

03:07

can't type a password to prove who it might be.

03:09

And in most cases, you probably wouldn't

03:12

want to store a password on one of your systems

03:14

out in the field anyway.

03:16

So how can you really confirm that that system is allowed

03:19

to be on our internal network?

03:21

How do we provide that additional authentication?

03:24

In many cases, we use a certificate

03:27

that we put onto this device that is digitally signed.

03:31

And we check that authentication during the login process.

03:34

This allows anyone needing to provide that verification

03:38

with a way to confirm that that really

03:40

is a company-owned laptop.

03:42

This could be on a VPN concentrator

03:44

so that it can verify that the devices coming into the network

03:47

really are company devices.

03:50

Or perhaps it's management software

03:51

that can validate that end device that

03:53

may be either on our local network

03:55

or anywhere in the world.

03:58

The process for creating this certificate

04:00

is relatively straightforward.

04:02

But the one thing that you must have in your environment

04:05

is something called a Certificate Authority, or a CA.

04:09

This is a device or software that

04:11

is responsible for managing all of the certificates

04:14

in our environment.

04:15

On the CA itself, you would create a certificate just

04:19

for that laptop.

04:20

That certificate is now digitally signed

04:23

by the certificate authority so that, later on, we

04:26

can verify that it really is an original certificate

04:30

from our certificate authority.

04:32

Now we put that certificate on the laptop

04:35

and, anytime we want to perform an authentication,

04:38

we can use that certificate as an authentication factor

04:41

and verify that it really was digitally signed

04:44

by the certificate authority.

04:46

So as part of your security infrastructure,

04:48

you would have a certificate authority.

04:50

That certificate authority itself

04:52

has its own certificate that was signed by a root CA.

04:56

We also have our laptop in the field.

04:59

And we have previously created a device certificate just

05:02

for this machine.

05:04

And it has been signed by the CA.

05:06

Once we know the CA certificate and we know the device

05:10

certificate, we can then compare these two certificates.

05:13

And we can see that our device certificate was signed

05:16

by the certificate authority that we trust in our security

05:20

infrastructure.

05:21

Now that we've gone through the authentication process,

05:24

how do we authorize that device to have access to resources

05:28

within our network?

05:29

We would do that by using an authorization model.

05:32

And there are many different authorization models

05:35

to choose from.

05:36

We have a big list of these later on in the video series,

05:39

in section 4.6.

05:41

We would commonly authorize users and services

05:44

to have access to certain types of data and applications.

05:48

The challenge here is, how do you create this relationship

05:52

in a form that's able to easily scale for tens, hundreds,

05:56

or even thousands of users?

05:59

In many environments, we accomplish this

06:01

by taking the users and services and putting an authorization

06:04

model right in the middle before you access

06:07

the data and the applications.

06:09

These are commonly defined by roles, organizations,

06:12

attributes, and many other types of characteristics.

06:16

Let's say that you had no authorization model at all.

06:19

We would create a series of rights and permissions

06:22

where the user has rights to access the resource.

06:26

The problem is that this doesn't scale very well.

06:29

Let's take an example of somebody in the shipping

06:32

and receiving department.

06:33

This is someone who needs access to a large number of systems,

06:37

a lot of data.

06:38

Maybe there's tracking information, shipping labels,

06:41

databases of customers.

06:43

And we would create separate rights and permissions

06:46

so that any time this person logged in,

06:48

we would need to give them rights to create a shipping

06:51

label, track a shipment, view monthly shipment

06:54

reports, access customer data, and perhaps anything else they

06:58

need for their day-to-day operations.

07:00

Now, if this is the only person in shipping and receiving,

07:04

this is a relatively easy process.

07:06

But what if you're part of a larger organization that

07:09

has tens or hundreds of people in shipping and receiving?

07:12

You can see it would be difficult to take

07:14

every single user account and manually set up

07:18

rights and permissions for every single resource

07:21

that they need access to.

07:22

In this case, there's only three resources.

07:25

But imagine if there were tens or hundreds of resources.

07:28

You would need to set those up for the tens

07:30

or hundreds of users.

07:32

You can see now why this would be very difficult to scale.

07:36

To be able to scale, we would need

07:38

to use an authorization model.

07:40

Sometimes you'll hear this referred

07:41

to as an abstraction that allows us

07:44

to separate the users from the information they're

07:47

trying to access.

07:48

This greatly streamlines the process

07:50

of administering these large number of users

07:53

or large number of resources.

07:55

And we can support a very, very large infrastructure

07:58

just with a very simple set of abstractions.

08:01

Here's how this would work.

08:02

We'd have the same user in shipping and receiving,

08:05

and we will add them to a group called Shipping and Receiving.

08:08

We set this group up originally so that anybody

08:12

added to the Shipping and Receiving group

08:14

would have access to create a shipping label,

08:16

track a shipment, view monthly shipment reports,

08:19

have access to customer contact information, and anything else

08:23

you would need in Shipping and receiving.

08:25

Now let's add in our tens or hundreds of users.

08:28

Instead of manually mapping every single user

08:32

to the individual authorizations they need,

08:34

we just simply add all of the users to the Shipping

08:37

and Receiving group.

08:39

With this one single addition, we

08:41

can give tens or hundreds or thousands of users

08:45

access to the resources they might need, regardless

08:48

of how many users there are and regardless

08:50

of how many resources they need to access.