Perle Systems Technical Notes
AAA Security -- Authentication, Authorization , Accounting
Distributed security systems that secure networks and network services against unauthorized access are commonly deployed in large enterprises. This ensures control over who can connect to the network and what those users are authorized to do. It also maintains an audit trail of the user activity.
AAA ( Authentication, Authorization , Accounting ) protocols such as RADIUS ( RFC 2865 ) and TACACS+, which was developed by Cisco, were created to address these issues. The AAA architecture gives legitimate users the ability to access networked assets while limiting unauthorized access.
Cisco’s Secure ACS application, for example, enables AAA protection for network access using the TACACS+ protocol in many large corporate enterprises today.
Control over access to the management plane in managed switches high density Media Converter and Ethernet Extender applications is vitally important. The simple User ID / password implementation provided by some vendors is not enough. Only management modules that utilize the existing authorization schemes in the enterprise, such as TACACS+ or RADIUS, should be deployed. Thus, centralized control over who can access the management module, what level of authorization they have and the maintenance of an audit trail is possible.
Perle Systems has long standing experience in secure network access. Providing equipment with RADIUS and TACACS+ to thousands of companies over many years has given Perle the expertise necessary to offer a best of breed management for Industrial Switch, Media Converter and Ethernet Extender applications. Perle’s solution exceeds all other offerings on the market.
Let us examine the elements in a AAA security scheme.
User ID / password schemes on network gear provide a primitive level of security. A limited number of account IDs are configured and have to be managed on each piece of hardware. Anytime an account is added, deleted or changed, each system must be accessed individually which is costly and creates opportunities for error. In addition, each user has to remember their own ID and password to gain access. With users being overwhelmed with various ID s and passwords in their lives, this can pose a problem when the user needs access at a time when they need it most. Since ID’s and passwords are sent across the network in the clear, simple tracing equipment will capture this information easily and expose your network to a security risk.
By utilizing your existing AAA system for use with Media Converter and Ethernet Extender equipment, these problems are eliminated. ID’s and passwords are all centralized and existing accounts can be used for access. Processes for updating accounts that already exist eliminates errors and frustration for users. ID’s and passwords are encrypted using a proven hashing algorithm. Therefore, your accounts are protected from prying eyes.
Perle Industrial Switches with the PRO software feature set support TACACS+ and RADIUS, the most common standard authentication schemes.
To ensure access, redundant primary and secondary authentication servers can also be set up. These can be mixed and matched between server types.
After authenticating the user, authorization dictates which resources the user is allowed to access and which operations the user is allowed to perform. Perle managed Media Converters and Ethernet Extenders provide a full read/write level “Adminstration” user as well as a read only “Operator” user profile. These levels can be configured and controlled from the authentication server. As a centralized process this eliminates the hassle associated with editing on a “per box” basis.
The accounting aspect with AAA servers provides an audit trail on how long each user was connected, how did they make a connection and which IP address they came from. This enables administrators to easily review past security and operational access issues should they occur.