Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management Definitions Flashcards

1
Q

AAA

A

Authentication, Authorization, and Accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identification

A

Identification is the process of providing the identity of a subject or user. This is the first step in the authentication, authorization, and accounting process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

one-time passcode (OTP)

A

A one-time passcode (OTP) is a set of characteristics that can be used to prove a subject’s identity one time and one time only. Because the OTP is valid for only one access, if it’s captured, additional access would be automatically denied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Out-of-band authentication

A

Out-of-band authentication requires communication over a channel that is distinct from the first factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Multifactor authentication

A

Multifactor authentication is when two or more factors are presented. Multilayer authentication is when two or more of the same type of factors are presented. Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised should all be considered when you’re deciding on the level of authentication required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Multilayer authentication

A

Multilayer authentication is when two or more of the same type of factors are presented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SAML

A

Security Assertion Markup Language (SAML) SAML is an open standard for exchanging authentication and authorization data between identity providers. SAML is used in many single sign-on (SSO) implementations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Zero trust

A

This concept assumes that no system or user will be “trusted” when requesting access to the corporate network, systems, and applications hosted on the premises or in the cloud. You must first verify their trustworthiness before granting access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

BeyondCorp

A

Google’s implementation of zero trust. This model shifts access control from the network perimeter firewalls and other security devices to individual devices and users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Federated Identity Management

A

A collection of shared protocols that allows user identities to be managed across organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Forest

A

A collection of domains managed by a centralized system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Kerberos:

A

Kerberos: A ticket-based protocol for authentication built on symmetric-key cryptography.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Multitenancy

A

A term in computing architecture referring to the serving of many users (tenants) from a single instance of an application. Software as a Service (SaaS) offerings are examples of multitenancy. They exist as a single instance but have dedicated shares served to many companies and teams.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

OAuth

A

An open standard for authorization used by many APIs and modern applications. You can access OAuth and OAuth 2.x specifications and documentation at https://oauth.net/2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

OpenID (or OpenID Connect)

A

Another open standard for authentication. OpenID Connect allows third-party services to authenticate users without clients needing to collect, store, and subsequently become liable for a user’s login information. Detailed information about OpenID can be accessed at

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Passwordless

A

A type of authentication based on tokens. Passwordless authentication challenges are typically received and sent through SMS, email (magic links), or biometric sensors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Social identity provider (social IdP)

A

A type of identity provider originating in social services like Google, Facebook, Twitter, and so on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Web identity

A

The identifying data is typically obtained from an HTTP request (often these are retrieved from an authenticated email address).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Windows identity

A

This is how Active Directory in Microsoft Windows environments organizes user information.

20
Q

WS-Federation

A

A common infrastructure (federated standard) for identity, used by web services and browsers on Windows Identity Foundation. Windows Identity Foundation is a framework created by Microsoft for building identity-aware applications. You can obtain detailed information about Windows Identity Foundation and WS-Federation at https://docs.microsoft.com/en-us/dotnet/framework/security/.

21
Q

Authorization

A

Authorization is the process of assigning authenticated subjects permission to carry out a specific operation. The authorization model defines how access rights and permission are granted. The three primary authorization models are object capability, security labels, and ACLs.

22
Q

Implicit deny

A

If no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction.

23
Q

Need to know:

A

A subject should be granted access to an object only if the access is needed to carry out the job of the subject.

24
Q

Mandatory access controls (MACs)

A

Mandatory access controls (MACs) are defined by policy and cannot be modified by the information owner. MACs are primarily used in secure military and government systems that require a high degree of confidentiality.

25
Q

Discretionary access controls (DACs)

A

Discretionary access controls (DACs) are defined by the owner of the object. DACs are used in commercial operating systems.

26
Q

Role-based access controls (RBACs, also called “nondiscretionary controls”)

A

Role-based access controls (RBACs, also called “nondiscretionary controls”) are access permissions based on a specific role or function. Administrators grant access rights and permissions to roles.

27
Q

Accounting

A

Accounting is the process of auditing and monitoring what a user does once a specific resource is accessed.

28
Q

Access control list (ACL)

A

This is the simplest way to implement a DAC-based system. ACLs can apply to different objects (like files) or they can also be configured statements (policies) in network infrastructure devices (routers, firewalls, etc.).

29
Q

Capability table

A

This is a collection of objects that a subject can access, together with the granted permissions.

30
Q

Access control matrix (ACM)

A

This is an access control mechanism that is usually associated with a DAC-based system. An ACM includes three elements: the subject, the object, and the set of permissions.

31
Q

RADIUS

A

RADIUS operates in most cases over UDP protocol port 1812 for authentication and authorization, and port 1813 for accounting, which are the officially assigned ports for this service. In earlier implementations, RADIUS operated over UDP port 1645 for authentication and authorization, and port 1646 for accounting.

The authentication and authorization phase consist of two messages:

The access server sends an ACCESS-REQUEST to the RADIUS server that includes the user identity, the password, and other information about the requestor of the access (for example, the IP address).

The RADIUS server may reply with three different messages:

ACCESS-ACCEPT if the user is authenticated. This message will also include in the Attribute field authorization information and specific vendor information used by the access server to provide services.

ACCESS-REJECT if access for the user is rejected.

ACCESS-CHALLENGE if additional information is needed. RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.

32
Q
A

Terminal Access Controller Access Control System Plus (TACACS+) is a proprietary protocol developed by Cisco. It also uses a client-server model, where the TACACS+ client is the access server and the TACACS+ server is the machine providing TACACS+ services (that is, authentication, authorization, and accounting). Uses Port tcp/49

The TACACS+ exchange requires several packets:

START, REPLY, and CONTINUE packets are used during the authentication process.

REQUEST and RESPONSE packets are used during the authorization and accounting process.

33
Q

Diameter

A

RADIUS and TACACS+ were created with the aim of providing AAA services to network access via dial-up protocols or terminal access. Due to their success and flexibility, they have been used in several other scopes. To respond to newer access requirements and protocols, the IETF has proposed a new protocol called Diameter, which is described in RFC 6733.

Diameter has been built with the following functionality in mind:

Failover: Diameter implements application-level acknowledgment and failover algorithms.

Transmission-level security: Diameter protects the exchange of messages by using TLS or DTLS.

Reliable transport: Diameter uses TCP or SCTP as the transport protocol.

Agent support: Diameter specifies the roles of different agents such as proxy, relay, redirect, and translation agents.

Server-initiated messages: Diameter makes mandatory the implementation of server-initiated messages. This enables capabilities such as on-demand re-authentication and re-authorization.

**Transition support: **Diameter allows compatibility with systems using RADIUS.

Capability negotiation: Diameter includes capability negotiations such as error handling as well as mandatory and nonmandatory attribute/value pairs (AVP).

**Peer discovery: ** Diameter enables dynamic peer discovery via DNS.

34
Q

802.1X

A

802.1X is an IEEE standard that is used to implement port-based access control. In simple terms, an 802.1X access device will allow traffic on the port only after the device has been authenticated and authorized.

35
Q

Authentication server

A

An entity that provides an authentication service to an authenticator. The authentication server determines whether the supplicant is authorized to access the service.

36
Q

Supplicant

A

An entity that seeks to be authenticated by an authenticator. For example, this could be a client laptop connected to a switch port. An example of a supplicant software is the Cisco AnyConnect Secure Mobility Client.

37
Q

Authenticator

A

An entity that facilitates authentication of other entities attached to the same LAN. This is sometimes referred to as the policy enforcement point (PeP). Cisco switches, wireless routers, and access points are examples of authenticators.

38
Q

EAP over LAN (EAPoL)

A

An encapsulation defined in 802.1X that’s used to encapsulate EAP packets to be transmitted from the supplicant to the authenticator.

39
Q

Extensible Authentication Protocol (EAP)

A

An authentication protocol used between the supplicant and the authentication server to transmit authentication information.

40
Q

VLAN ACLs

A

VLAN ACLs, also called VLAN maps, are not specifically Layer 2 ACLs; however, they are used to limit the traffic within a specific VLAN. A VLAN map can apply a MAC access list, a Layer 3 ACL, and a Layer 4 ACL to the inbound direction of a VLAN to provide access control.

41
Q

SGACL

A

A security group–based ACL (SGACL) is an ACL that implements access control based on the security group assigned to a user (for example, based on his role within the organization) and the destination resources. SGACLs are implemented as part of Cisco TrustSec policy enforcement.

42
Q

dACL

A

A downloadable ACL (dACL), also called a per-user ACL, is an ACL that can be applied dynamically to a port. The term downloadable stems from the fact that these ACLs are pushed from the authenticator server (for example, from a Cisco ISE) during the authorization phase.

43
Q

pxGrid

A

Cisco pxGrid provides a cross-platform integration capability among security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform. Cisco ISE supports Cisco pxGrid to provide a unified ecosystem to integrate multivendor tools to exchange information either unidirectionally or bidirectionally.

44
Q

MAB

A

MAC Authentication Bypass (MAB): You already learned that MAB relies on a MAC address for authentication. A MAC address is a globally unique identifier that is assigned to all network-attached devices. Consequently it can be used in authentication.

45
Q

TrustSec Security Group Tags

A

TrustSec Security Group Tags: Cisco TrustSec is a solution for identity and policy enforcement. ISE can use security group tags (SGTs) for authentication and authorization. SGTs are values that are inserted into the client’s data frames by a network device (for example, a switch, firewall, or wireless AP).

46
Q

Posture assessment

A

Posture assessment includes a set of rules in a security policy that define a series of checks before an endpoint is granted access to the network. Posture assessment checks include the installation of operating system patches, host-based firewalls, antivirus and anti-malware software, disk encryption, and more