Domain 5 Flashcards
AAA Protocols
Authentication, Authorization, and Accounting
AAA Protocols
Network Access (Remote Access) Server
Is a client to a RADIUS server and the RADIUS server provides AAA services
Network Access Servers
RADIUS
Uses UDP and encrypts the password only
Remote access
Network Access Servers
TACACS+
Uses TCP and encrypts the entire session
Admin access to network devices
Network Access Servers
Diameter
is based on RADIUS and improves on many of the vulns, but NOT
compatible
4G
Active Directory
Kerberos
Primary purpose: authentication
- Allows users to prove their ID
- Also provides some confidentiality and integrity
- Does NOT
include logging therefore is does NOT
provide accountabilitiy
Common Attacks
- Replay
- Pass-the-ticket (Kerberos) / Pass the hash (NTLM)
- golden ticket
- kerberoasting
Authorization Mechanisms
Need To Know
Subject with cearance to access is only granted if they Actually need it
Authorization Mechanisms
Least Privilege
Same as need to know, but includes rights to take action on a system
Authorization Mechanisms
Separation of Duties
Sensitive functions are split into tasks performed by 2+ employees
Modern Approach to Least Privilege
Just-In-Time (JIT)
Allows temporary elevation or privilege (usually time limited) as needed, revoking privilege at the end of allowed window
- Sometime implemented through ephemeral accounts or a broker and remove access strategy
Security Controls
Types (7)
- Preventative
- Detective
- Corrective
- Deterrent
- Compensating
- Directive
- Recovery
Security Controls
Categories (3)
- Logical / Technical
- Physical
- Administrative
Security Controls - Categories
Logical / Technical
Hardware or software used to protect
Examples
- encryption
- smart cards
- IDS
- Access Control List
- protocols
- firewalls
- routers
- Clipping levels
Security Controls - Categories
Physical
Protect facility and real world objects
- guards, fences, alarms
Security Controls - Categories
Administrative
Policies and procedures to enforce overall access control
- Focused on personnel and business practices
Examples
- background checks
- security training