Identity And Access Services Flashcards

1
Q

Kerberos

  • What does it do
  • What does it prevent
  • What does it have, what does that prevent
  • SSO?
  • AAA?
A

Kerberos

  • Network authentication mechanism used with Windows Active Directory and some Unix realms
  • Provides mutual authentication.
  • Mutual authentication prevents man in the middle attacks
  • SSO (Single Sign On) - only authenticate once
  • Tickets and timestamps prevent replay attacks.
  • Not AAA - no accounting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NTLM

-Vulnerable to what

A

NTLM
New Technology LAN Manager
-Message digest hashing algorithm to challenge users and check credentials
-Confidentiality, integrity, authentication
-Windows
-Somewhat insecure
-Vulnerable to pass the hash attacks (use someone else’s password hash to log in)
-Use Kerberos instead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

LDAP

-Port

A

Windows active directory domains and linux realms

  • use to identify objects with codes like CN=Users and CD=GetCertifiedGetAhead (X.500 attribute/value pairs, most specific listed first; hierarchical tree)
  • TCP/IDP port 389
  • LDAPS encrypts w/ TLS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RADIUS

  • What is it?
  • What does it provide?
  • How does it work?
  • Encryption?
  • key?
  • Connection?
  • Does it challenge
A

RADIUS

  • Authentication service that provides central authentication for remote clients
  • AAA - Authentication, Authorization, Accounting
  • All VPNs connect to RADIUS server, so only change password once, all VPNs will see
  • Common for RADIUS server to access LDAP server holding accounts
  • Encrypts password packets, but not entire authentication process
  • Used shared key (shared secret) - symmetric encryption
  • Uses UDP - best effort delivery, not guaranteed delivery
  • Server does not challenge
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Diameter

  • What is it?
  • What does it provide?
  • What does it use?
  • Security
  • Does it challenge
A

Diameter

  • Authentication service that provides central authentication for remote clients
  • AAA - Authentication, Authorization, Accounting
  • Extension of RADIUS
  • TCP - guaranteed delivery
  • Can secure transmissions with EAP
  • Server does not challenge
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CHAP

  • What is it?
  • What does it do?
  • Is it secure?
  • Does it challenge?
A

CHAP

  • Challenge Handshake Authentication Protocol
  • VPN authentication service
  • Server send encrypted challenge
  • Client responds with hash calculated from challenge and password and nonce
  • Server compares received hash with stored hash
  • Not plaintext - more secure than PAP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

MS-CHAP

  • What is it?
  • What doe sit provide?
  • How does it work?
  • Is it good?
A

MS-CHAP

  • Microsoft CHAP
  • VPN authentication service (provides authentication)
  • v2 supports mutual authentication
  • Don’t use! Uses DES, easy to brute force 256 possible keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PAP

A

PAP

  • Password Authentication Protocol
  • VPN authentication service
  • Sends passwords as cleartext
  • Should not use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

TACACS+

  • What is it?
  • What does it provide?
  • Encryption?
  • How does it work?
  • Does it challenge?
  • SSO?
A

TACACS+

  • Authentication service that provides central authentication for remote clients
  • AAA - Authentication, Authorization, Accounting
  • Alternative to RADIUS
  • Cisco
  • Encrypts entire authentication process
  • Multiple challenge/response
  • Can be used with with Kerberos
  • No SSO
  • TCP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

OAuth

A

OAuth

  • Authorization framework
  • Use Google, Facebook, Twittter, etc accounts to authorize
  • Not an authentication protocol
  • OpenID Connect handles single sign-on authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NAC

A

NAC
Network Access Control
-Inspect clients to ensure healthy
-user or system authentication
-802.1x is a form of NAC
-Encryption of traffic to the wireless and wired network using protocols for 802.1X such as EAP-TLS, EAP-PEAP or EAP-MSCHAP
-Often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Uses a challenge message during authentication

-Three answers

A

Uses a challenge message during authentication

  • CHAP - Challenge Handshake Authentication Protocol
  • MS-CHAPv2 - mutual authentication
  • NTLM
  • TACAS+ (multiple challenge/response)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Directory Services

-What technology to implement?

A

Directory Services

  • Authentication protocol: Kerberos
  • LDAP or LDAPS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RADIUS Federation

A

RADIUS Federation

  • 802.1x and RADIUS can create federation
  • Two or more entities share
  • SSO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly