AAA and Identity Management

Question 1

Types of authentication where the user provides a secret that is only know by him on her. Ex. providing a password, pin or answering secret question

Answer 1

Authentication by Knowledge

Question 2

NIST special publication which provides guidelines for authentication and passwords strenght

Answer 2

NIST Special Publication 800-63B

Question 3

Types of authentication where user is asked to provide proof that he owns something specific. Ex, system might require an employee to use a badge to access a facility. Use of token or smart card,OTP

Answer 3

Authentication by ownership

Question 4

Type of authentication that authenticate user based on some physical or behavioral characteristic, sometimes referred to as biometric attribute. Eg, fingerprints, facial recognition, retina and iris, palm and geometry, blood and vascular info, voice recogntion. Eg of behavioral characteristics : signature dynamic - key stroke

Answer 4

Authentication by Characteristics

Question 5

Authentication when only one factor is presented. Eg password

Answer 5

Single factor authentication

Question 6

Authentication when two or more factor are presented. e

Answer 6

Multi factor authentication

Question 7

Company acquired by Cisco. Very popular multifactor authentication solutions that is used by small , medium and large organization. Provides protection of on-premises and cloud-based application. Done by preconfigure solutions and generic config via Radius, Security Assertion Markup Language (SAML) , LDAP and more

Answer 7

Duo security

Question 8

Another component of Duo Solution. Provides multifcator authentication access to cloud based application

Answer 8

Duo Access Gateway

Question 9

Assumes that no system or user will be trusted when requesting access to corporate network, system and application hosted on on-premised or cloud. you must first verify their trustworthiness before granting access.

Answer 9

Zero Trust

Question 10

Based on Google’s own implementation of a “zero-trust” model which shift access control from the network perimeter firewalls and other security devices to individual devices and users.

Answer 10

BeyondCorp

Question 11

Concept of centralised identiy is also referred as?

It handles authentication, authorization, user attribute exchange and user management

Answer 11

Federated Identity

Question 12

• Elements that are part of an SSO
• Call external API to authenticate and authorize users. Is also used to make sure that applicaitons and services do not store password and user information on-site

Answer 12

Delegation

Question 13

• Elements that are part of an SSO

- Is an SSO environment where all resources and user and link to a centralised database

Answer 13

Domain

Question 14

• Elements that are part of an SSO

- A vector through which identity can be confirmed

Answer 14

Factor

Question 15

• Elements that are part of an SSO

- A collection of shared protocols that allow user identities to be managed across organization

Answer 15

Federated Identity Management

Question 16

• Elements that are part of an SSO
• An identity provider that offers single sign-on, consistency in authorization practices, user management and attribute-exchange practices between providers(issuers) and relying parties (applicaiton)

Answer 16

Federation Provider

Question 17

• Elements that are part of an SSO

- A collection of domains managed by a centralized system

Answer 17

Forest

Question 18

• Elements that are part of an SSO

- An application website, or service responsible for coordinating identities between user and clients

Answer 18

Identity Provider (iDP)

Question 19

• Elements that are part of an SSO

- A ticket-based protocol for authenticaiton built on symmetric-key cryptography

Answer 19

Kerberos

Question 20

• Elements that are part of an SSO
• A term in computing arhictecture referring to the serving of many users(tenants) from a single instance of an application.

Answer 20

Multitenancy

Question 21

• Elements that are part of an SSO

- An open standard for authorization used by many API and modern appliation

Answer 21

OAuth

Question 22

• Elements that are part of an SSO
• Another open standard allow third party services to authenticate users without clients needing to collect, store and subsequently become liable for a users login information

Answer 22

OpenID or OpenID connect

Question 23

• Elements that are part of an SSO

- A type of authentication baed on tokens

Answer 23

Passwordless

Question 24

-Elements that are part of an SSO

A type of identity provider originating in social services like google, facebook and twitter and so on

Answer 24

Web Identity

Question 25

-Elements that are part of an SSO

This is how Active Directory in Microsoft Windows environment organizes user information

Answer 25

Windows Identity

Question 26

• Elements that are part of an SSO
• A common infrastructure (federated standard) for identity, used by web services and browsers on Windows Identity Foundation

Answer 26

WS-Federation

Question 27

Is the process of assigning authenticated subjects permission to carry out specific operation

Answer 27

Authorization

Question 28

The three primary authorization models

Answer 28

• Object capability
• Security Labels
• ACL

Question 29

Is used programmatically and is based on a combination of an unforgeable reference and an operational message

Answer 29

Object capabiltity

Question 30

Are mandatory access controls embedded in object and subject properties. Eg are “confidential”, “secret” and “top secret”.

Answer 30

Security labels

Question 31

Are used to determine access based on some combination of specific criteria, such as user ID, group membership, classification, location, address and date

Answer 31

ACL

Question 32

An authorization policy should implement two concepts

Answer 32

• Implicit deny

- Need to know

Question 33

Are defined by policy and cannot be modified by that information owner. Are primarily used in secure military and government system that require a higher degree of confidentiality

Answer 33

Mandatory Access Control (MAC)

Question 34

Are defined by the owner of the object. are used in commercial operating systems. The object owner builds an ACL that allows or denies access to the object based on the user unique identity

Answer 34

Discretionary Access Control (DAC)

Question 35

Are access per missions based on a specific role or function

Answer 35

Role-Based Access Control (RBAC)

Question 36

Access is based on criteria that are independent of the user or group account. Rules are determined by the resource owner. Commonly used criteria include source or destination address, geographic location and time of day.

Answer 36

Rule-Based access control

Question 37

Is a logical access control that control access to objects by evaluating rule against the attributes of entites

Answer 37

Attribute-Based Access Control (ABAC)

Question 38

is the process of auditing and monitoring what a user does once a specific resource is accessed

Answer 38

Accounting

Question 39

Includes physical and logical network designs, border devices, communication mechanisms and host security settings

Answer 39

Infrastructure access controls

Question 40

Type of access control mechanism method

• simplest way to implement a DAC based system
• Can apply to different objects like files or they can also be configured statements (policies) in network infrastructure devices like router,firewalls

Answer 40

Access Control List (ACL)

Question 41

Type of access control mechanism method
- This is a collection of objects that a subjects can access, together with the granted permission. They key characteristics is it is a subject centric instead of being object centri

Answer 41

Capability Table

Question 42

Type of access control mechanism method
Usually assosicated with a DAC based system. an includes three elements: the subject, the object and the set of permissions.

Answer 42

Access control Matrix (ACM)

Question 43

• Type of access control mechanism method

- Uses the information (Content) within a resource to make an authorization decision

Answer 43

Content-dependent access control

Question 44

• Type of access control mechanism method
• This type of control uses contextual information to make an access decision , together with other information such as identity of the subject

Answer 44

Context-dependent access control

Question 45

• is an AAA protocol mainly to provide network access services.
• The authentication and authorization parts are specified in RFC 2865 while accounting part is specified in RFC 2866.
• Operates on UDP port 1812 for Authorization and Accounting and port 1813 for acounting

Answer 45

Remote Authentication Dial-In User Service (RADIUS)

Question 46

• Proprietary protocol developed by Cisco

- Uses TCP as the transport protocol. Server listen to port 49.

Answer 46

Terminal Access Controller Access Control System Plus (TACACS+)

Question 47

is an IEEE standard that is used to implement port-based access control. In simple terms access device will allow traffic on the port only after the device has been authenticated and authorized

Answer 47

802.1X

Question 48

Three main role in 802.1X enabled network

Answer 48

• Authentication server
• Supplicant
• Authenticator

Question 49

-802.1x protocol
An encapsulation defined in 802.1x thats used to encapsulate EAP packets to be transmitted from the suplicant to the authenticator

Answer 49

EAP over LAN (EAPoL)

Question 50

• 802.1x protocol
• An authentication protocol that used between the suplicant and authetication server to transmit authentication information

Answer 50

Extensible Authentication Protocol (EAP)

Question 51

• 802.1x protocol

- AAA protocol used for communication between authenticator and authentication server

Answer 51

Radius or Diameter

Question 52

802.1X Four Phases

Answer 52

• Session Initiation
• Session Authenticaiton
• Session authorization
• Session Accounting

Question 53

Also called per-user ACL. Is an ACL that can be applied dynamically to a port. Example are ACL pushed down from Cisco ISE

Answer 53

dACL (downloadable ACL)

Question 54

Is the Centralized AAA and policy engine solution from Cisco. Integrates with numerous Cisco Products and third party solutions to allow you to maintain visibility of who and what is access your network.

Answer 54

Cisco Identity services Engine (Cisco ISE)

Question 55

Provides a cross-platform intergration capability among security monitoring applications, threat detection systems, asset management platforms, network policy system and practically any other IT operations platform

Answer 55

Cisco Platform Exchange Grid (pxGrid)

Question 56

Cisco ISE services that allows you to dynamically and detect and classify endpoints connected to the network

Answer 56

Cisco ISE Profiling Services

Question 57

Is a solution and architecture that provide the ability to perform network segmentation and enables acecss controls primarily based on the role of the user(and other attributes) requesting access to network

Answer 57

Cisco TrustSec

Question 58

Is a feature that allows RADIUS Server to adjust an active client session.

Answer 58

Change of Authorization (CoA)

Question 59

global config command to enable Cisco Common Classification Policy language (C3PL) style

Answer 59

authentication display new-style

Question 60

Is a structured replacement for freature-specific configurations commands. this concepts allows you to create traffic policies based on events , conditions and actions

Answer 60

Cisco Common Classification Policy Language