the wire to solve the problem. Furthermore, the table of passwordson the server is not encrypted. What happens is this: When someonetypes in a user name, the server generates a random key and sendsthe key (also in clear text) to the user. The user uses the keyto encrypt his or her password and sends the encrypted passwordback to the server. The server checks the password table for thekey it assigned, and encrypts the password. The server then comparesthe encrypted password from the user with the encrypted passwordit created. If they match, the user is allowed in. <P>CHAP performs an additional check to authenticate the user, thatis, it attempts to verify that the person in an ongoing sessionis the person originally authorized. CHAP continuously sends differentchallenges to the user throughout the session, not just at thebeginning. This authentication process solves problems with unattended-but-logged-inworkstations. This system also solves the problem of passwordtheft by packet sniffing, since the password sent between userand server is encrypted. However, the password file itself isvulnerable, since it's not encrypted. <P>Extensive systems have been devised that combine encryption, passwordtechnology, and authentication to make sure that no unauthorizedperson can gain access to intranets.<P>One particularly secure authentication system is called Kerberos.Kerberos is named after the mythological three-headed dog whoguarded the gates of Hades in Greek mythology. (The dog is alsocalled Cerberus, sometimes spelled Kerberos.) Developed at theMassachusetts Institute of Technology, the Kerberos system requiresthat all computers, servers, and workstations be running the Kerberossoftware. When anyone wants to get onto the network, they haveto type in a password and user name. They are then given an encryptedtoken by the system. In order to use any network resource, thatencrypted token is required. This stops any intruders from accessingany intranet resources unless they first go through password authentication.<H2><A NAME="HowPasswordsWork"><FONT SIZE=5 COLOR=#FF0000>How Passwords Work</FONT></A></H2><P>One of an intranet's first lines of defense is to use passwordprotection. A variety of security techniques, including encryption,helps ensure that passwords are kept secure. It is also necessaryto require that passwords are changed frequently, are not easilyguessed or common dictionary words, and are not simply given out.Authentication is the additional step of verifying that the personproviding the password is the person authorized to do so.<H3><A NAME="PasswordAuthenticationProtocol">Password Authentication Protocol</A></H3><OL><LI>The server encrypts the password it receives from the user,using the same encryption technique used to encrypt the servertable of pass-words. It compares the encrypted password from theuser against the en-crypted password in the table. If the resultsmatch, the user is allowed into the system. If the results don'tmatch, the user isn't allowed in.<LI>People's passwords and user names on an intranet are storedin table form in a file on a server that verifies passwords. Often,the file name is <I>passwd</I> and the directory it is in is <I>/etc</I>.Depending on the password authentication technique to be used,the file may either be encrypted or not encrypted.<LI>One method of authenticating a user is through the PasswordAuthentication Protocol (PAP). PAP doesn't mandate encryption,but the table of passwords on the server is usually encrypted.When someone wants to log into the network or a password-protectednetwork resource, they are asked for a user name and password.The user name and password are then sent to the server.</OL><H3><A NAME="ChallengeHandshakeAuthenticationProtocol">Challenge Handshake Authentication Protocol</A></H3><P>START=4<OL><LI>The Challenge Handshake Authentication Protocol (CHAP) systemis a challenge-response system. CHAP requires an unencrypted tableof passwords. When someone logs into a system with CHAP, a randomkey is generated by the server and sent to the user for encryptinghis or her password.<LI>The user's computer uses this key to encrypt his or her password.The encrypted password is then sent back to the server. The serverrefers to the password table for the random key, and encryptsthe password with the same key that was sent to the user. Theserver then compares the encrypted password from the user withthe encrypted password it created. If they match, the user isallowed in. <LI>The key difference with CHAP is that <I>the<B> </B>servercontinues to challenge the user's computer throughout the session</I>.Additionally, different challenges are sent that must be encryptedand returned by the computer, without human intervention. Thisway CHAP limits your window of vulnerability. A session cannotbe hijacked, since a hijacker would be dropped once his computerfailed to respond correctly to the periodically occurring challenges.<LI>No matter which kind of password system is used-and whetherthe password table is encrypted or not-it's important to protectthe password table. The file must be protected against FTP accessand there should be very restricted access to the file so thatonly the administrator or someone under the administrator's controlcan gain access to it.</OL><H2><A NAME="HowAdditionalAuthenticationSystemsWork"><FONT SIZE=5 COLOR=#FF0000>How Additional Authentication Systems Work</FONT></A></H2><P>Various methods and devices provide additional security barriersto prevent unauthorized access. Devices supplement the &quot;somethingyou know&quot; of login names and passwords with the requirementthat remote users also provide &quot;something you have.&quot;Many intranets allow people from remote locations to dial in tothe intranet and use its resources. In order to get onto the network,a user name and password are required. Authentication systemsare built to make sure that people logging into an intranet reallyare who they claim to be. This is especially important for remoteaccess since none of the physical security necessary to entera company's headquarters is available to screen dial-in users.<UL><LI>A call-back system is one way to ensure that only people whoare supposed to dial in are al-lowed in. In a call-back system,after a user logs in with a user name and password, the systemhangs up and calls back to a predetermined phone number. Thatway, no one can pose as an employee since it will call only specificphone numbers.<FONT FACE="Arial"> </FONT>This works for telecom-muterswho consistently work from their home, but is not practical fora roving sales force who never know the numbers in advance.<LI>Security devices that continuously respond to challenges areuseful tools for roving sales forces. Users need to bring a cardreader device and insert their cards to take care of the authenticationwhen challenged by the server software when they log in. The serversoftware continues to challenge the user's card during the sessionas well.<LI>&quot;Packet sniffing&quot; and replay is one of the dangersthat can be avoided by additional authentication measures. Thenature of Ethernet contributes to packet sniffing and spoofingvulnerability because all of the packets pass through the networkand can be picked up by unauthorized users. Essentially, you caneavesdrop and record legitimate traffic and re-play it to trickthe system into thinking their traffic is from a legitimate source.A variation of this is session hijacking, where rather than simplyinserting traffic into the data stream, legitimate traffic isway-laid and substitute traffic is inserted.</UL><HR><CENTER><P><A HREF="ch17.htm"><IMG SRC="PC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="#CONTENTS"><IMG SRC="CC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="contents.htm"><IMG SRC="HB.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="ch19.htm"><IMG SRC="NC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><HR WIDTH="100%"></P></CENTER></BODY></HTML>