Identify and authenticate systems and system components, where possible, before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
Cryptographically-based and replay-resistant authentication between systems, components, and devices addresses the risk of unauthorized access from spoofing (i.e., claiming a false identity). The requirement applies to client-server authentication, server-server authentication, and device authentication (including mobile devices). The cryptographic key for authentication transactions is stored in suitably secure storage available to the authenticator application (e.g., keychain storage, Trusted Platform Module [TPM], Trusted Execution Environment [TEE], or secure element). Mandating authentication requirements at every connection point may not be practical, and therefore, such requirements may only be applied periodically or at the initial point of network connection.
[NIST SP 800-63-3] provides guidance on identity and authenticator management.
The intent of this practice is to prevent unauthorized devices from connecting to one another. One example satisfying this requirement is a web server configured with transport layer security (TLS) using mutual authentication. At a lower level in the OSI stack, IPsec provides application-transparent mutual authentication. Another example would be implementing 802.1X technology to enforce port based NAC. This is done by enabling 802.1X on switches, wireless access points, and VPN connections for a given network. 802.1X defines authentication controls for devices trying to access a given network. NAC controls authorization and policy management. For this to be implemented, bidirectional authentication must be turned on via 802.1X. Once successfully authenticated, the device may communicate on the network. A final example, at the application-server level, involves the use of Kerberos to control 1) which files a client can access and 2) the transmission of sensitive data from the client to the server.
You are the network engineer in charge of implementing this requirement. You have been instructed to implement a technology that will provide mutual authentication for client server connections. You implement Kerberos.
On the server side, client authentication is implemented by having the client establish a local security context. This is initially accomplished by having the client present credentials which are confirmed by the Active Directory Domain Controller (DC). After that, the client may established context via a session of a logged-in user. The service does not accept connections from any unauthenticated client.
On the client side, server authentication requires registration, using administrator privileges, of unique Service Provider Names (SPNs) for each service instance offered. The names are registered in the Active Directory Domain Controller. When a client requests a connection to a service, it composes an SPN for a service instance, using known data or data provided by the user. For authentication, the client presents its SPN to the Key Distribution Center (KDC), and the KDC searchs for computers with the registered SPN before allowing a connection via an encrypted message passed to the client for forwarding to the server.
You are the network engineer in charge of implementing this requirement. You have been instructed to implement a technology that will provide authentication for each system prior to connecting to the environment. You implement the company-approved scheme that uses cryptographic keys installed on each system for it to authenticate to the environment, as well as user-based cryptographic keys that are used in combination with a user’s password for user-level authentication [a,c]. Your authentication implementation is finalized on each system using an ACM solution. When a system connects to the network, the system uses the system-level certificate to authenticate itself to the switch before the switch will allow it to access the corporate network [a,c]. This is accomplished using 802.1x technology on the switch and by authenticating with a RADIUS server that authenticates itself with the system via cryptographic keys. If either system fails to authenticate to the other, the trust is broken, and the system will not be able to connect to or communicate on the network. You also set up a similar implementation in your wireless access point.
You are the network engineer in charge of implementing the VPN solution used by the organization. To meet this requirement, you use a VPN gateway server and public key infrastructure (PKI) certificates via a certification authority (CA) and a chain of trust. When a client starts a VPN connection, the server presents its certificate to the client and if the certificate is trusted, the client then presents its certificate to the server [a]. If the server validates the client certificate, an established communications channel is opened for the client to finish the authentication process and gain access to the network via the VPN gateway server [c]. If the client fails final authentication, fails the certification validation, or the VPN gateway fails the certificate check by the client, the communication channel will be denied.
Potential Assessment Considerations
- Are cryptographic keys stored securely [a]?
- Has the requirement been implemented for any of the three use cases, where applicable: client-server authentication, server-server authentication, and device authentication [b,c]?