Access Control and Identity Management Flashcards
AAA Model
Authentication
Authorization
Accounting
POLA/POLP
Principles of Least Access
Principles of Least Privilege
Identification
Process of IDing an entity for authentication
User ID guidelines:
* Uniqueness
* Non-descriptive (doesn’t say job)
* Issuance secure (process of getting ID)
Most common forms:
* User Name, User ID, Acct Number
Authentication
Verifies users ID One or more of three factors: * Something you know ** Passwords/PINs * Something you have ** ATM Card, CAC, Tokens * Something you are
Authentication Tokens Types
Passive or Stored Value * Storage device that store some kind of key * Magnetic strip or bar code * Static password Active * Processor that computes one-time password * Synchronous Dynamic Token * Asynchronous Dynamic Token
Type 1 Authentication Methods
Something you know
Passwords/PINs
Type 2 Authentication Methods
Something you have
ATM card, CAC, Tokens
Type 3 Authentication Methods
Something you are
Biometrics
CER
Crossover Error Rate
Least amount of both False Reject Rate and False Accept Rate
Strong Authentication
Multiple types of the same factor
Eg. Two “somethings you have”
SSO
Single Sign On
Authenticate only once
Eg uses SSO: Kerberos, SESAME, directory services
Kerberos
Principal - device on network Realm - like a domain KDC (Key Distribution Center) * AS (Authentication Server) * TGS (Ticket-Granting Server) * TGT (Ticket-Granting Ticket) * RTGS (Remote Ticket-Granting Service)
X.500 Standard
For Directory Services
Directory Services
Logical means of organizing resources
ACLs to control access to resources
LDAP
Lightweight Directory Access Protocol
Standardized directory access protocol Allows queries to be made of directories X.500 Standard Port 389 Port 636 for LDAP over TLS/SSL
Types of LDAP Authentication
Anonymous: * Username only Simple: Name/Password in clear Uses Port 389; port 636 over SSL SASL for secure
SASL
Simple Authentication and Security Layer
Can utilize Kerberos, MD5, S/Key, IPSec, TLS
DIT
Directory Information Tree
Microsoft’s Active Directory
Directory Services
Backbone for all security, access, and network implementations.
One or more servers manage
Tree structure
RADIUS
Remote Authentication Dial-In User Service
Centralized system for AAA
Supports PAP, CHAP and EAP
Only password is encrypted
UDP 1812 (Authentication), 1813 (Accounting)
Client = network access server Server = stores all authentication and network access information
Ability to audit and account
Diameter
AAA protocol suite designed to handle broadband and other connections
End-to-end encryption through IPSec, TLS or both
Mutual authentication
TCP port 3868
TACACS+
Terminal Access Controller Access Control System
Alternative to RADIUS Cisco product AAA performed separately Supports PAP, CHAP and EAP Multi-factor authentication Encrypts entire body of authentication packet
TCP port 49
Implicit/Explicit Deny
Implicit: By not specifically allowing access.
Explicit: By specifically denying
Least Privilege
Just what they NEED to do their job not what they WANT.