Chapter 6 & 7: Secure Network Configuration and Authentication Flashcards
Which protocols use PKI (4)
SSH
TLS
S/MIME
HTTP-Digest
Which protocol is used by many directory service systems from multiple vendors and manages distributed information services across a network. In this context, a “directory” is a database that stores information about network users, systems, services, and so on.
Lightweight Directory Access Protocol (LDAP)
What is Active Directory on Windows based on (2)
LDAP and Kerberos
What is a session-layer API for network applications that is use for file and printer sharing as well as computer identification on local network segments
Netbios
What protocol is used to remotely manage and monitor devices like routers and switches?
Simple Network Management Protocol (SNMP)
What is an open set of standards based on the Remote Frame Buffer Protocol. Uses TCP port 4900+N where N is the display number.
VNC
What is a simplified version of FTP designed for very lightweight applications, such as devices booting from the network. Uses UDP port 69.
Trivial File Transfer Protocol (TFTP)
What is an improved version of WPA-Personal used by WPA3 which is still based on a shared password distributed to each authorized user, but the password is not used in key generation or exposed to the network in hashed form.
Simultaneous Authentication of Equals (SAE)
Which VPN technology encapsulates almost any L3 protocol in a virtual point-to-point link and is used for tunneling.
Generic Routing Encapsulation (GRE)
Which VPN technology encapsulates PPP packets over GRE to provide VPN tunneling features, but relies on vendor implementation to provide encryption and authentication. Uses TCP port 1723 and GRE port 47
Point-to-point Tunneling Protocol (PPTP)
Which VPN technology is an IETF standard based on elements of PPTP and Cisco’s similar protocol. Uses RADIUS or TACACS+ authentication and IPSec encryption. Requires UDP port 500 and 1701.
L2TP/IPSec
Which VPN technology It
provides similar functionality to L2TP/IPsec while offering higher performance and better firewall traversal.
IKEv2/IPSec
Which encryption technology is often associated with VPNs, but can provide end-to-end level 3 security on any IP network. It is comprised on three protocols to provide authentication and integrity. They’re all based on the idea of security associations (SAs)
IPSec
Which IPSec component negotiates and authenticates SAs between two hosts and exchanges encryption keys to set up a secure channel.
Internet Key Exchange (IKE)
Which IPSec component provides data integrity and source authentication through cryptographic hashes of the packet contents and source identity.
Authentication Header (AH)
Which IPSec component encrypts the packet payload along with integrity and authentication information
Encapsulating Security Payload (ESP)
During IKE negotiations, host, or pee, identities are established through what? (2)
preshared keys or X.509 certificates
IPSec operates in what two modes?
Tunnel mode and Transport mode
What is the purpose of a site survey
To determine existing wifi coverage areas and identify problems
What are onboarding and offboarding procedures applied to?
devices added or removed from the network
What is the term where one party has explicit trust relationship with two other parties, that can form an implied trust relationship between those two
Transitive trust
What is the system that allows a authentication system to be shared across multiple systems or networks even if they’re not directly associated with each other. This makes SSO easier to implement.
Federated Identity Management
What is the term for where users can authorize one service to access resources belonging to another service within the same federation
Access delegation
Which PPP authentication protocol is the oldest and most widely supported standards. It uses a two-way handshake where the client presents user/pass and the server accept/rejects. This is only a one-way authentication and the exchange happens in plaintext.
Password Authentication Protocol (PAP)
Which PPP authentication protocol uses a three-way handshake, with security provided by a shared secret. It also allows for periodic challenges during the session to prevent session hijacking.
Challenge-handshake Authentication Protocol (CHAP)
Which PPP authentication extension can also be used for wireless authentication. This isn’t an authentication method in itself, but rather a message format and set of standard functions that can be used to support a wide variety of specific authentication methods. WPA-Enterprise networks combine 802.1X standard with some version of this for authentication.
Extensible Authentication Protocol (EAP)
Which EAP extension uses client and server X.509 certs in the auth process, allowing high security.
EAP-TLS
Which EAP extension only requires server certificates and the client authenticates securely with a password.
EAP-TTLS
Which EAP extension is used by GSM cellular networks?
EAP-SIM
Which EAP extension is a proprietary Cisco version based off MS-CHAP
Lightweight EAP (LEAP)
Which EAP extension is a proprietary Cisco upgrade to LEAP
EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
This is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
It provides a transport layer security structure where it is needed within EAP. It uses a public-key encryption certificate for this purpose. Server-side public-key certificates authenticate servers. It also supports authentication with usernames/passwords.
PEAP
Which technology provides full AAA support to PPP and wireless. It communicates with a network access server (NAS) to provide AAA of the client, and then the NAS manages authorizing that user to network resources. Operates on UDP port 182.
Remote Authentication Dial-In User Service (RADIUS)
Which technology has features similar to RADIUS with the following exceptions
- Uses TCP port 49
- Encrypts entire access request packets
- Combines authentication and authorization into a single step
- Supports more non-IP protocols
Terminal Access Controller Access Control System (TACACS+)
Which EAP extension prevents users from attaching unauthorized devices on the network. It is the underlying technology of WPA-Enterprise and WPA2-Enterprise. The protocol encapsulates EAP messages into EAP over LAN (EAPOL) frames and then relies on some back-end AAA server. Works with RADIUS, Diameter and TACACS+
802.1X
Which system provides mutual authentication and encryption between clients and servers on a non-secure network. Nodes negotiate with each other on the words of this system operating as a trusted third-party.
Kerberos
In Kerberos, each realm is controlled by what?
a Key Distribution Center (KDC)
In Kerberos, what is the component of KDC that authenticates users and gives them a ticket granting ticket (TGT)
The Authentication Server (AS)
In Kerberos, what is the component of KDC that validates TGT holders and issues them temporary credential tickets and session keys?
The ticket-granting service (TGS)
What technology is an open XML-based standard that’s used to exchange authentication and authorization information. It is used in many SSO environments.
Security Association Markup Language (SAML)
What framework provides access delegation, allowing you to give authorization for something to use some, but not all, of you accounts?
OAuth
What is a layer on top of OAuth framework that handles the SSO authentication between systems?
OpenID
In Kerberos, messages are timestamped to prevent replay attacks. Therefore, what is required for authentication using Kerberos?
synchronized time
WPA2 largest change is mandatory support for what encryption mode
128-bit AES-CCMP, the AES cipher using the Counter Mode/CBC-MAC mode of operation.
