CH4 Flashcards
The security features that govern how users and processes communicate and interact with systems and resources. The primary function is to protect information from unauthorized access (confidentiality), modification (integrity), or disruption (availability).
Access Controls
Used to identify unique records in a set, such as a username. This is the process of the subject supplying an identifier to the object.
Identification
This is how identification is proven to be genuine. The process of the subject supplying verifiable credentials to the object.
Authentication
Defines how access rights and permissions are granted. The process of assigning authenticated subjects the permission to carry out a specific operation.
Authorization.
States that all users - whether they are individual contributors, managers, directors, or executives - should be granted only the level of privilege they need to do their jobs, and no more.
Principle of least privilege
An administrative control that dictates that a single individual should not perform all critical - or privileged-level duties. Important duties must be separated or divided among several individuals within the organization.
Separation of duties
List 4 key concepts of identification.
Identities should be unique, nondescriptive, securely issued AND Identities can be location based.
What are the 3 categories of factors
knowledge (something the user knows), possession (something the user has), inherence (something the user is).
A knowledge-based authentication that requires a user to answer a question based on something familiar to them.
cognitive password
With this type of authentication, a user is asked to provide proof that he owns something specific (security badge, token, smart card, etc.).
Authentication by ownership or possession.
An authentication method that holds user info within a magnetic strip and relies on a reader to process the info. The user inserts the card into the reader and supplies their PIN.
Memory Card
Similar to memory card, this has a microprocessor and integrated circuits. The user inserts the card into a reader, enters pin.
Smartcard
This type of authentication requires communication over a channel that is distinct from the first factor.
Out-of-band authentication
Authenticates a user based on some physical or behavioral characteristic, sometimes referred to as a biometric attribute.
Authentication by Characteristic
Authentication in which 2 or more factors must be presented.
Multi-factor Authentication
Company acquired by Cisco that has a very popular multifactor authentication solution.
Duo Security
With this Duo product, you can configure Trusted Endpoints policies to check the posture of the device that is trying to connect to the network, application, or cloud resources.
Duo Beyond
This Duo product provides multifactor authentication access to cloud applications using SAML.
Duo Access Gateway
This concept assumes that no system or user will be “trusted” when requesting access to the corporate netowrk, systems, and applicatinos hosted on-prem or in the cloud. You must first verify their trustworthiness before granting access.
Zero Trust
What are the 3 primary authorization models
object capability, security labels, and ACLs
Used programmatically and is based on a combination of an unforgeable reference and an operational message.
Object Capability
Mandatory access controls embedded in object and subject properties. Examples are “confidential, secret, top secret”.
Security Labels
Used to determine access based on some combination of specific criteria, such as a user ID, group membership, classification, location, address, and date.
Access Control List
An authorization policy should implement what 2 concepts.
Implicit Deny, Need to know
Access controls defined by policy that cannot be modified by the information owner. Primarily used in military and government systems.
Mandatory Access Control
Access controls used in commercial operating systems that are defined by the owner of the object. The object owner builds an ACL that allows or denies access to the object based on the user’s unique identity.
Discretionary Access Controls
Access controls based on a specific role or function. Administrators grant access rights and permissions to roles. Users are then associated with a single role.
RBAC (Role-based Access Control)
Access controls based on criteria independent of the user or group account. Commonly used criteria are source/dest address, geo location, time of day.
Rule-Based Access Control
Logical access control model that controls access to objects by evaluating rules against the attributes of entities (both subject and object), operations, and the environment relevant to a request.
Attribute-based Access control
A method for implementing various access control models.
Access Control Mechanisms
List 5 access control mechanisms
ACLs, Capability Tables, ACMs (access control matrix), Content-dependent access control, Context-dependent access control.
What are the 3 most well-known AAA protocols.
Radius, TACACS+, Diameter
List some of the advantages of TACACS+ over RADIUS
Full payload encrypted with TACACS, granular command authorization with TACACS, Authentication Authorization and accounting performed with separate exchanges, TACACS uses TCP protocol (reliability)
IEEE standard that is used to implement port-based access control.
802.1x
3 main roles of an 802.1x enabled network
authentication server, supplicant, authenticator
An encapsulation defined in 802.1X that’s used to encapsulate EAP packets to be transmitted from the supplicant to the authenticator.
EAPoL
An authentication protocol used
between the supplicant and the authentication server to transmit authentication
information.
EAP
The AAA protocol used for communication between the
authenticator and authentication server.
RADIUS or Diameter
ACL that implements access control based on
the security group assigned to a user (for example, based on his role within the organization)
and the destination resources.
SGACL - security group ACL
also called a per-user ACL, is an ACL that can be applied
dynamically to a port.
downloadable ACL ( dACL)
provides a cross-platform integration capability among security monitoring
applications, threat detection systems, asset management platforms, network policy systems,
and practically any other IT operations platform.
pxGrid
this functionality allows you to dynamically detect and classify endpoints connected to the network
ISE Profiling Services
ISE rules that enforce policy after authentication is performed
Authorization rules
a solution and architecture that provides the ability to perform network
segmentation and enables access controls primarily based on the role of the user (and other
attributes) requesting access to the network.
Cisco TrustSec
The protocol that allows software-enabled devices to participate in the TrustSec architecture
SGT Exchange Protocol (SXP)
a set of rules in a security policy that define a series of checks
before an endpoint is granted access to the network
posture assessment
3 types of agents that can be deployed for posture assessment
Temporal Agent, Stealth AnyConnect, AnyConnect
a feature that allows a RADIUS server to adjust
an active client session. For instance, ISE can issue the (***) RADIUS attribute to an access
device to force the session to be reauthenticated.
Change of Authorization (CoA)
a feature that enables ISE to collect threat and vulnerability data from many third-party threat and vulnerability scanners and software. The
purpose of this feature is to allow ISE to have a threat and risk view into the hosts it is
controlling access rights for
TC-NAC (Threat-Centric Network Access Control)
3 methods of authentication on a switch port
802.1X, MAB, WebAuth
