4.2 Explain authentication and access controls.

Question 1

AAA framework

Answer 1

Identification - Usually your username

Authentication
Authorization
Accounting

Question 2

Authentication

Answer 2

Prove you are who you say you are

Password and other authentication factors

Question 3

Authorization

Answer 3

Based on your identification and authentication, what access do you have?

Question 4

Accounting

Answer 4

Resources used: Login time, data sent and received, logout time

Question 5

RADIUS (Remote Authentication Dial-in User Service)

Answer 5

One of the more common AAA protocols
Supported on a wide variety of platforms and devices
Not just for dial-in
Centralize authentication for users - Routers, switches, firewalls• Server authentication• Remote VPN access• 802.1X network access
RADIUS services available on almost any server operating system

Question 6

TACACS

Answer 6

Terminal Access Controller Access-Control System

• Remote authentication protocol• Created to control access to dial-up lines to ARPANET

Question 7

XTACACS (Extended TACACS)

Answer 7

A Cisco-created (proprietary) version of TACACS

Additional support for accounting and auditing

Question 8

TACACS+

Answer 8

The latest version of TACACS, not backwards compatible

More authentication requests and response codes• Released as an open standard in 1993

Question 9

Kerberos

Answer 9

Standard since the 1980s MIT RFC 4120 -Microsoft starting using Kerberos in Windows 2000
Network authentication protocol -Authenticate once, trusted by the system
Mutual authentication - the client and the server
Protect against man-in-the-middle or replay attacks

Question 10

SSO with Kerberos

Answer 10

Authenticate one time
No constant username and password input! - Save time
Only works with Kerberos

Question 11

LDAP (Lightweight Directory Access Protocol)

Answer 11

reading and writing directories over an IP network
Windows AD
LDAP is the protocol used to query and update an X.500 directory
MAC Apple OpenDirectory, OpenLDAP, etc
Builds a tree

Question 12

Container objects

Answer 12

Country, organization, organizational units

Question 13

Leaf objects

Answer 13

Users, computers, printers, files

Question 14

Local authentication

Answer 14

Credentials are stored on the local device Does not use a centralized database
initial local account on device
Difficult to scale local accounts
Sometimes useful as a backup

Question 15

Certificate-based authentication

Answer 15

Smart card
PIV (Personal Identity Verification) card
CAC (Common Access Card)
IEEE 802.1X

Question 16

Smart card -

Answer 16

Private key is on the card

Question 17

PIV (Personal Identity Verification) card

Answer 17

US Federal Government smart card

Picture and identification information

Question 18

CAC (Common Access Card)

Answer 18

US Department of Defense smart card

Picture and identification

Question 19

IEEE 802.1X

Answer 19

Gain access to the network using a certificate

On device storage or separate physical device

Question 20

Auditing

Answer 20

Log all access details -OS logins, VPN, device access

Question 21

Usage auditing

Answer 21

How are your resources used?• Are your systems and applications secure?

Question 22

Time-of-day restrictions

Answer 22

Nobody needs to access the lab at 3 AM

Question 23

Multi-factor authentication

Answer 23

More than one factor
• Something you are
• Something you have
• Something you know
• Somewhere you are
• Something you do

Question 24

Something you know

Answer 24

Password - Secret word/phrase, string of characters
PIN - Personal identification number
Pattern - Complete a series of patterns

Question 25

Something you have

Answer 25

Integrates with devices
• May require a PIN
• USB token Certificate is on the USB device
• Hardware or software tokens
• Generates pseudo-random authentication codes
Your phone - SMS a code to your phone

Question 26

Something you are

Answer 26

Biometric authentication -Fingerprint, iris scan, voiceprint

Question 27

Somewhere you are

Answer 27

Provide a factor based on your location

IP address IPV4 only

Question 28

Mobile device location services

Answer 28

Geolocation to a very specific area• Must be in a location that can receive GPS information or near an identified mobile or 802.11 network• Still not a perfect identifier of location

Question 29

Something you do

Answer 29

A personal way of doing things - You’re special
Handwriting analysis - Signature comparison or writing technique

Very similar to biometrics - Close to something you are

Question 30

Typing technique

Answer 30

Delays between keystrokes

Question 31

Network Access Control (NAC)

Answer 31

IEEE 802.1X - Port-based
You don’t get access until you authenticate
Makes extensive use of EAP and RADIUS
physical interfaces Not TCP or UDP ports
Administrative enable/disable
Duplicate MAC address checking - Stop the spoofers

Question 32

Port security

Answer 32

Prevent unauthorized users from connecting to a switch interface - Alert or disable the port
Based on the source MAC address
Each port has its own config

Question 33

Port security operation

Answer 33

Configure a maximum number of source MAC addresses on an interface
The switch monitors the number of unique MAC addresses
Once you exceed the maximum, port security activates - Default is to disable the interface

Question 34

MAC filtering

Answer 34

Security through obscurity
Media Access Control - The “hardware” address
Limit access through the physical hardware address
Easy to find working MAC addresses through wireless LAN analysis

Question 35

Captive portal

Answer 35

Authentication to a network
Access table recognizes a lack of authentication
Username / password
Once proper authentication is provided, the web session continues

Question 36

Access Control Lists (ACLs)

Answer 36

Used to allow or deny traffic - NAT, QoS, etc.
Defined on the ingress or egress of an interface
ACLs evaluate on certain criteria
Source IP, Destination IP, TCP port numbers, UDP port numbers, ICMP
Deny or permit - What happens when an ACL matches the traffic?