4.2 Explain authentication and access controls. Flashcards

1
Q

AAA framework

A

Identification - Usually your username

Authentication
Authorization
Accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Authentication

A

Prove you are who you say you are

Password and other authentication factors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authorization

A

Based on your identification and authentication, what access do you have?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Accounting

A

Resources used: Login time, data sent and received, logout time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

RADIUS (Remote Authentication Dial-in User Service)

A

One of the more common AAA protocols
Supported on a wide variety of platforms and devices
Not just for dial-in
Centralize authentication for users - Routers, switches, firewalls• Server authentication• Remote VPN access• 802.1X network access
RADIUS services available on almost any server operating system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

TACACS

A

Terminal Access Controller Access-Control System

• Remote authentication protocol• Created to control access to dial-up lines to ARPANET

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

XTACACS (Extended TACACS)

A

A Cisco-created (proprietary) version of TACACS

Additional support for accounting and auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

TACACS+

A

The latest version of TACACS, not backwards compatible

More authentication requests and response codes• Released as an open standard in 1993

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Kerberos

A

Standard since the 1980s MIT RFC 4120 -Microsoft starting using Kerberos in Windows 2000
Network authentication protocol -Authenticate once, trusted by the system
Mutual authentication - the client and the server
Protect against man-in-the-middle or replay attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SSO with Kerberos

A

Authenticate one time
No constant username and password input! - Save time
Only works with Kerberos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

LDAP (Lightweight Directory Access Protocol)

A

reading and writing directories over an IP network
Windows AD
LDAP is the protocol used to query and update an X.500 directory
MAC Apple OpenDirectory, OpenLDAP, etc
Builds a tree

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Container objects

A

Country, organization, organizational units

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Leaf objects

A

Users, computers, printers, files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Local authentication

A

Credentials are stored on the local device Does not use a centralized database
initial local account on device
Difficult to scale local accounts
Sometimes useful as a backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Certificate-based authentication

A

Smart card
PIV (Personal Identity Verification) card
CAC (Common Access Card)
IEEE 802.1X

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Smart card -

A

Private key is on the card

17
Q

PIV (Personal Identity Verification) card

A

US Federal Government smart card

Picture and identification information

18
Q

CAC (Common Access Card)

A

US Department of Defense smart card

Picture and identification

19
Q

IEEE 802.1X

A

Gain access to the network using a certificate

On device storage or separate physical device

20
Q

Auditing

A

Log all access details -OS logins, VPN, device access

21
Q

Usage auditing

A

How are your resources used?• Are your systems and applications secure?

22
Q

Time-of-day restrictions

A

Nobody needs to access the lab at 3 AM

23
Q

Multi-factor authentication

A
More than one factor
• Something you are
• Something you have
• Something you know
• Somewhere you are
• Something you do
24
Q

Something you know

A

Password - Secret word/phrase, string of characters
PIN - Personal identification number
Pattern - Complete a series of patterns

25
Something you have
Integrates with devices • May require a PIN • USB token Certificate is on the USB device • Hardware or software tokens • Generates pseudo-random authentication codes Your phone - SMS a code to your phone
26
Something you are
Biometric authentication -Fingerprint, iris scan, voiceprint
27
Somewhere you are
Provide a factor based on your location | IP address IPV4 only
28
Mobile device location services
Geolocation to a very specific area• Must be in a location that can receive GPS information or near an identified mobile or 802.11 network• Still not a perfect identifier of location
29
Something you do
A personal way of doing things - You’re special Handwriting analysis - Signature comparison or writing technique Very similar to biometrics - Close to something you are
30
Typing technique
Delays between keystrokes
31
Network Access Control (NAC)
IEEE 802.1X - Port-based You don’t get access until you authenticate Makes extensive use of EAP and RADIUS physical interfaces Not TCP or UDP ports Administrative enable/disable Duplicate MAC address checking - Stop the spoofers
32
Port security
Prevent unauthorized users from connecting to a switch interface - Alert or disable the port Based on the source MAC address Each port has its own config
33
Port security operation
Configure a maximum number of source MAC addresses on an interface The switch monitors the number of unique MAC addresses Once you exceed the maximum, port security activates - Default is to disable the interface
34
MAC filtering
Security through obscurity Media Access Control - The “hardware” address Limit access through the physical hardware address Easy to find working MAC addresses through wireless LAN analysis
35
Captive portal
Authentication to a network Access table recognizes a lack of authentication Username / password Once proper authentication is provided, the web session continues
36
Access Control Lists (ACLs)
Used to allow or deny traffic - NAT, QoS, etc. Defined on the ingress or egress of an interface ACLs evaluate on certain criteria Source IP, Destination IP, TCP port numbers, UDP port numbers, ICMP Deny or permit - What happens when an ACL matches the traffic?