A Quick Overview - SFA, TFA & MFA

What is SFA - Single Factor Authentication 

This is “something a user knows.”  The most recognized type of Single Factor Authentication method is the password. Single Factor Authentication (SFA) is the traditional security process that requires a user name and password before granting access to the user.

SFA security relies on the diligence of the user, who should take additional precautions -- for example, creating a strong password and ensuring that no one can access it. For applications that require greater security, it may be advisable to implement more complex systems, such as Multi Factor Authentication.

What is TFA - Two Factor Authentication

In Two Factor Authentication, in addition to the first factor, the second factor is “something a user has.”  Examples of something a user has are a fob that generates a pre-determined code, a signed digital certificate or even a biometric such as a fingerprint.  The most recognized form of two-factor authentication is the ubiquitous RSA SecurID fob.

In a Two Factor Authentication system, the user provides dual means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. This is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. In a Two Factor Authentication, each step involves a different authentication factor.

An Automated Teller Machine (ATM) typically requires Two Factor Authentication. To prove that users are who they claim to be, the system requires two items: an ATM smartcard (application of the possession factor) and the personal identification number (PIN) (application of the knowledge factor). In the case of a lost ATM card, the user's accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card. This is what makes Two Factor Authentication more secure: there are two factors required in order to authenticate.

What is MFA - Multi Factor Authentication

In Multi Factor Authentication, in addition to the previous two factors, the third factor is “something a user is.”  Examples of a third factor are all biometric such as the user’s voice, hand configuration, a fingerprint, a retina scan or similar.  The most recognized form of Multi Factor Authentication is usually the retina scan with Two Factor Authentication. 

Multi Factor Authentication is an approach to authentication which requires the presentation of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur.

Multi Factor Authentication is often confused with other forms of authentication. The Multi Factor Authentication requires the use of the three authentication factors. The factors are identified in the standards and regulations for access to U.S. Federal Government systems. These factors are:

1. Something only the user knows (e.g., password, PIN, pattern);
2. Something only the user has (e.g., ATM card, smart card, mobile phone); and
3. Something only the user is (e.g., biometric characteristic, such as a fingerprint)

The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Typical MFA scenarios include:

• Swiping a card and entering a PIN.
• Downloading a VPN client with a valid digital certificate and logging into the VPN before being granted access to a network.
• Logging into a website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the requester's phone or email address.
• Swiping a card, scanning a fingerprint and answering a security question.
• Attaching a USB hardware token to a desktop that generates an OTP and using the one-time password to log into a VPN client.

In the United States, interest in Multi Factor Authentication has been driven by regulations such as the Federal Financial Institutions Examination Council (FFIEC) directive calling for Multi Factor Authentication for Internet banking transactions.

A Quick Overview - IP Spoofing

IP Spoofing (IP address forgery or a host file hijack)

IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.

IP spoofing is also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. Here's how it works: The hijacker obtains the IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source.

When IP spoofing is used to hijack a browser, a visitor who types in the URL (Uniform Resource Locator) of a legitimate site is taken to a fraudulent Web page created by the hijacker. For example, if the hijacker spoofed the Instagram Web site, then any Internet user who typed in the URL www.instagram.com would see spoofed content created by the hijacker.

If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to sensitive information or computer or network resources. He could steal or alter sensitive data, such as a credit card number or password, or install malware . The hijacker would also be able to take control of a compromised computer to use it as part of a zombie army in order to send out spam.

Web site administrators can minimize the danger that their IP addresses will be spoofed by implementing hierarchical or one-time passwords and data encryption/decryption techniques. 

Users and administrators can protect themselves and their networks by installing and implementing firewalls that block outgoing packets with source addresses that differ from the IP address of the user's computer or internal network.

IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.

IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. 

For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication.

Spoofed IP packets are not incontrovertible evidence of malicious intent; however, in performance testing of websites, hundreds or even thousands of "vusers" (virtual users) may be created, each executing a test script against the Web site under test, in order to simulate what will happen when the system goes "live" and a large number of users log on at once.

Since each user will normally have their own IP address, commercial testing products (such as HP's Loadrunner software or Websense etc) can use IP spoofing, allowing each user its own "return address", as well.

A Quick Overview - NMS (Network Management / Monitoring System)

NMS (Network Management / Monitoring System)

A Network Management/Monitoring System (NMS) is a set of hardware and/or software tools that allow an IT professional to supervise the individual components of a network within a larger network management framework.

Network management system components assist with: 

• Network device discovery -  identifying what devices are present on a network.

• Network device monitoring - monitoring at the device level to determine the health of network components and the extent to which their performance matches capacity plans and intra-enterprise Service-Level Agreements (SLAs).

• Network performance analysis -  tracking performance indicators such as bandwidth utilization, packet loss, latency, availability and up time of routers, switches and  other Simple Network Management Protocol (SNMP)/WMI -enabled devices.

• Intelligent notifications - configurable alerts that will respond to specific network scenarios by paging, emailing, calling or texting a network administrator.

Some enterprise level NMS

IMPORTANT: Choosing, Implementation and Configuration of any NMS, requires domain specific knowledge. Wrong configuration of any NMS may be slowdown the network performance !!!