User Authentication; Overview - D-Link NetDefend DFL-210 User Manual

Chapter 8. User Authentication
This chapter describes how NetDefendOS implements user authentication.
• Overview, page 220
• Authentication Setup, page 221

8.1. Overview

In situations where individual users connect to protected resources through a D-Link Firewall, the
administrator will often require that each user goes through a process of authentication before
access is allowed. This chapter deals with setting up authentication for NetDefendOS but first the
general issues involved in authentication are examined.
Proving Identity
The aim of authentication is to have the user prove their identity so that the network administrator
can allow or deny access to resources based on that identity. Possible types of proof could be:
A. Something the user is. Unique attributes that are different for every person, such as a fingerprint.
B. Something the user has, such a passcard, a X.507 Digital Certificate or Public and Private Keys.
C. Something the user knows such as a password.
Method A may require a special biometric reader. Another problem is that the feature often can't be
replaced if it is lost. Methods B and C are therefore the most common in network security.
However, these have drawbacks: Keys might be intercepted, passcards might be stolen, passwords
might be guessable, or people may simply be bad at keeping a secret. Methods B and C are
sometimes combined, for example in a passcard that requires a password or pincode for use.
Using Username/Passwords
This chapter deals specifically with user authentication through validation of username/password
combinations manually entered by a user attempting to gain access to resources. Access to the
Internet using the HTTP protocol through a D-Link Firewall is an example of this where a
username/password combination is the primary authentication method.
In using this approach, passwords are often subject to attacks by guesswork or systematic searches.
To counter this, a password should be carefully chosen. Ideally it should:
• Be more than 8 characters with no repeats.
• Use random character sequences not commonly found in phrases.
• Contain both lower and upper case alphabetic characters.
• Contain both digits and special characters.
To remain secure passwords should also:
• Not be recorded anywhere in written form.
• Never be revealed to anyone else.
• Changed on a regular basis such as every three months.
220