User Authentication; Overview; Authentication Methods; Choosing Passwords - D-Link NetDefend DFL-210 User Manual

Chapter 8. User Authentication
This chapter describes how NetDefendOS implements user authentication.
• Overview, page 174
• Authentication Components, page 176
• Authentication Process, page 178

8.1. Overview

Before any user service request is authorized by firewall's security policies, NetDefendOS needs to
verify the identity of that user through a process of authentication.

8.1.1. Authentication Methods

The aim of the authentication process is to have the user prove their identity. What the user supplies
as proof could be:
A. Something the user is. Unique attributes that are different for every person, such as a fingerprint.
B. Something the user has, such as X.507 Digital Certificates, Passcard, or Public and Private Keys.
C. Something the user knows such as a password.
Method A requires some special devices to scan and read the feature presented, which is often ex-
pensive. Another problem is that the feature usually can't be replaced if becomes lost. Methods B
and C are therefore the most common in network security. However these also can have drawbacks.
Keys, for example, might be intercepted, cards might be stolen, people might choose weak pass-
words that are easily guessed, or they may be simply bad at keeping a secret. Methods B and C are
therefore often combined. An example of this is a passcard that requires a password or pincode for
use.
User authentication is frequently used in services, such as HTTP, FTP, and VPN. NetDefendOS
uses a Username/Password combination as the primary authentication method, strengthened by en-
cryption algorithms. More advanced and secure means of authentication include Public-Private
Keys, X.509 Certificates, IPsec/IKE, IKE XAuth, and ID Lists.

8.1.2. Choosing Passwords

In attempting to penetrate networks and obtain user or administrator's privileges, passwords are of-
ten subject to attacks by guesswork or systematic searches. To counter this, a password should:
• Be more than 8 characters with no repeats
• Use random character sequences not commonly found in phrases
• Contain both lower and upper case alphabetic characters
• Contain both digits and special characters
Passwords should also:
• Not be recorded anywhere in written form
• Never be revealed to anyone
174