Chapter 2
The Role of Identification and Authentication in Your Environment

Intrusion detection involves not only knowing that someone is trying to break into your system, but also identifying who the intruder is. This fundamental notion of who in computer environments is at the heart of regulating all of the system’s activities. That is, the subject of an operation is determined by who is performing the act. In this chapter, you learn about weaknesses with authentication systems, what people have done to improve upon these weaknesses, and why intrusion detection is still needed even if you deploy strong authentication tools.

Initially, the focus is on the standard login process used to authenticate a user to the computer. After this material is covered, you will explore authentication between other entities, such as computers or software servers. An in-depth survey of network authentication requires a thorough understanding of network protocols. Although some of the discussion is about authentication across networks, this topic is not covered in detail until Chapter 4, “Traditional Network Security Approaches,” in which you will explore network security.

The material in this chapter begins with discussions of UNIX and NT login procedures. Threats and defenses are identified for traditional password-based authentication. Following this discussion, you learn about alternative authentication servers.

Recall from the preceding chapter that identification and authentication (I&A) can be based on something you know, something you have, or something you are. Note that most operating systems or other products requiring authentication are now enabled to use a variety of techniques for verifying the identity of users. For example, IBM’s AIX operating system is designed with an authentication grammar that enables you to plug in different commercial products. The Open Group’s Common Desktop Environment (CDE) also includes a pluggable authentication mechanism. The IBM Firewall supports strong authentication with hardware tokens, too. These enhancements were added because of concerns about relying on a single password for authentication. You easily can add stronger authentication software or hardware to products such as operating systems, firewalls, and databases.

Knowing who is on your system is only part of the story. Knowing what the user did and whether the account has been compromised by an intruder is also important. I&A tools will help you improve upon problems like weak passwords. Intrusion detection tools are needed on top of these to track the activities of your users and to watch for intruders masquerading as normal users.

Identification and Authentication in UNIX

Consider first a configuration that involves a stand-alone, multiuser computer with a directly attached terminal or display unit. After this simple scenario is described, we can elaborate on more complex cases involving network connections. The entities that are involved in UNIX I&A are users and groups.

Users and Groups

In UNIX users are identified by a unique username composed of a contiguous string of characters including letters and numbers. For historical reasons, uppercase characters are not used. Special characters such as punctuation symbols are rarely found in usernames because applications running on the system may have trouble interpreting unusual characters.

Paired with each username is a numerical user ID or UID. The pairings are not required to be unique. The UNIX operating system does not require each username to be paired with a unique UID. However, a recommended security practice is to assign a separate UID to each user. Some versions of UNIX provide higher level commands or programs for adding users. As common practice, these programs assign the next UID value when a user is added or force the administrator to enter an unused UID. Even so, bypassing these administrative utilities and assigning the same UID to more than one user is possible. The mappings between usernames and UIDs are defined in the /etc/passwd file. This file usually can be edited directly by the machine’s administrator, which is how one can pair two usernames with the same UID.

UNIX uses the UID as the subject identifier when performing many of its access control decisions. The username is rarely needed for anything other than the initial login I&A phase. Because the UID is the basis for many decisions made by the reference monitor, you can see why assigning duplicate UIDs might be a problem. If several users are performing tasks with the same UID, determining accountability for actions will be more difficult, though not impossible. For the sake of simplicity, the remaining discussions assume that a UID is assigned to only one user.

UNIX also provides a means for combining users into groups. Each group is identified by a groupname and group ID (GID). A user belongs to a primary group whose GID value is stored with the user’s record in /etc/passwd. All groups defined on the system are stored in /etc/group. Users can belong to zero or more secondary groups, too. GIDs also are needed by the UNIX reference monitor for making some access control decisions.

Figure 2.1 shows a dump of the /etc/passwd file from a UNIX system. Each entry in the file is contained on one logical line. That is, an entry is terminated by an end of line (EOL) character. Fields in a record are separated by the colon character (:). Table 2.1 provides an explanation of the meaning of each field in a record. Entries in /etc/group have a similar format except that no password is associated with the group itself. Figure 2.2 shows the contents of an example /etc/group file.

Figure 2.1  Typical contents of the /etc/passwd file.

Figure 2.2  Contents of the /etc/group file.