Week 7 - Network Access Control and Cloud Security Flashcards
What are the 3 categories of components in NAC
Three Categories of Components:
1. Access Requestor (AR):
- Definition: Devices requesting access to the network (also known as supplicants or clients).
- Examples: Endpoint devices like computers and mobile phones.
- Functions: Initiates user authentication, establishes session keys, and facilitates communication.
-
Network Access Server (NAS):
- Definition: Servers responsible for handling user access requests and enforcing network access policies.
- Functions: Performs user authentication, verifies claimed identities, and establishes session keys for secure communication.
-
Policy Server:
- Definition: Central server responsible for enforcing network access policies and ensuring compliance.
- Functions: Checks whether the AR’s software meets specific requirements, determines access levels for ARs, and grants appropriate permissions.
What is NAC?
NAC (Network Access Control):
- Definition: An umbrella term for managing access to a network.
- Functions:
1. Authenticates user log-in.
2. Determines user’s data access and permissions for actions.
3. Examines the health of the user’s endpoint devices (e.g., computers, mobile phones).
What are the 4 commonly used network access enforcement methods?
Network Enforcement Methods:
-
IEEE 802.1X:
- Description: The most commonly implemented solution for network access control (NAC).
- Function: Operates at the link layer, enforcing authorization before assigning an IP address to a port.
- Authentication: Uses the Extensible Authentication Protocol (EAP) for the authentication process.
-
Virtual Local Area Networks (VLANs):
- Description: Logical subgroups within a LAN that segregate network traffic.
- Function: Network Access Server (NAS) directs Access Requestors (ARs) to different VLANs based on their needs.
- Flexibility: ARs may belong to multiple VLANs, allowing for granular control over network access.
-
Firewall:
- Description: A form of NAC that regulates network traffic between an enterprise network and ARs.
- Function: Allows or denies network traffic based on predefined rules, enhancing network security.
-
DHCP (Dynamic Host Configuration Protocol) Management:
- Description: Enables the dynamic allocation of IP addresses to devices on a network.
- NAC Enforcement: Occurs at the IP layer, based on subnet and IP assignment.
- Function: Helps in managing IP address allocation and enforcing network access policies based on assigned IP addresses.
What is a EAP?
EAP (Extensible Authentication Protocol):
- Definition: EAP is defined in RFC 3748 as a framework for network access and authentication protocols.
-
Extensibility:
- Allows encapsulation of various authentication methods between an Access Requestor (AR) and an Authentication Server.
-
Supported Networks:
- EAP works on:
- Point-to-point links
- LANs
- Other types of networks
- EAP works on:
This extensible nature and broad compatibility make EAP a versatile choice for implementing authentication in diverse network environments.
What is the goal of EAP message exchange?
A: The goal of EAP message exchange is to achieve successful authentication, which occurs when:
- The Authenticator decides to allow access by the peer.
- The peer decides to use this access.
What are the components of an EAP message?
EAP Message Structure:
-
Types of EAP Messages:
- Request (1)
- Response (2)
- Success (3)
- Failure (4)
-
Identifier:
- Purpose: Match a pair of Request and Response messages.
-
Length:
- Purpose: Indicates the length of a message.
-
Data:
- Purpose: Contains information related to authentication.
- Note: Success and Failure messages do not include a Data field.
What are the general ideas of IEEE 802.1X Port-Based NAC?
IEEE 802.1X Port-Based NAC:
- Provides network access control functions for LANs.
-
Terminology:
- Supplicant == peer (in EAP): Represents the device seeking network access.
- Network access point == authenticator (in EAP): Represents the network entity controlling access to the network.
-
Uncontrolled port:
- Purpose: Allows the exchange of Protocol Data Units (PDUs) between Supplicant and Authentication Server (AS), regardless of the authentication state.
-
Controlled port:
- Purpose: Reserved for authorized exchanges, ensuring that only authenticated devices can communicate on the network.
What is a EAPOL?
EAPOL, or EAP over LAN, is an essential element defined in IEEE 802.1X for network access control. It operates at the network layers and utilizes Ethernet or Wi-Fi at the data link layer. EAPOL facilitates communication between a supplicant (device seeking network access) and an authenticator (network entity controlling access). Its primary function is to support the exchange of EAP packets for authentication purposes within LAN environments.
What are the common EAPOL data frame types?
EAPOL-EAP (EAP over LAN - EAP):
- Definition: Contains an encapsulated EAP packet, including:
- Protocol version (of EAPOL)
- Packet type (Start, EAP, Key, or Logoff)
- Packet body length
- Packet body (the payload of the packet)
EAPOL-Start:
- Purpose: A supplicant can issue this packet instead of waiting for a challenge from the authenticator.
- Function: Indicates to the authenticator that the supplicant is ready and can determine whether an authenticator is present.
EAPOL-Logoff:
- Purpose: Used to return the state of the port to unauthorized when the supplicant is finished using the network.
EAPOL-Key:
- Purpose: Used to exchange cryptographic keying information.
What is cloud computing?
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
What are the three service models in cloud computing?
Software-as-a-Service (SaaS):
- Definition: The service provided by the provider is the software running on a cloud infrastructure.
- Explanation: Users access and use the software via the internet, without needing to install or run it on their local machines.
Platform-as-a-Service (PaaS):
- Definition: The service provided by the provider is the development or deployment platform (environment) running on a cloud infrastructure.
- Explanation: Users can develop, test, and deploy applications without managing the underlying infrastructure, which could be a database or an operating system.
Infrastructure-as-a-Service (IaaS):
- Definition: The service provided by the provider is the infrastructure (fundamental computing resources), allowing customers to deploy and run any arbitrary software, including operating systems, on a cloud infrastructure.
- Explanation: Users have control over the virtualized computing resources such as processors, storage, and networks, and can deploy and manage their own applications and operating systems.
What are the five essential characteristics in cloud computing?
Broad Network Access:
- Definition: Capabilities available over the network.
- Explanation: Services and resources accessible from various devices and locations.
Rapid Elasticity:
- Definition: Computing resources occupied based on requirements.
- Explanation: Resources can be rapidly scaled up or down to meet changing demand.
Measured Service:
- Definition: Resource usage monitored, controlled, and reported.
- Explanation: Usage of resources tracked for billing, optimization, and performance monitoring.
On-Demand Self-Service:
- Definition: Automatic assignment of required resources.
- Explanation: Users can provision and manage resources independently without manual intervention.
Resource Pooling:
- Definition: Provider’s resources pooled for multiple clients.
- Explanation: Resources such as storage and processing shared among users, maximizing efficiency.
What are the 4 deployment methods in cloud computing?
Public Cloud:
- Definition: Available to the general public.
- Ownership: Owned by organizations for selling cloud services.
- Responsibility: Providers are responsible for both cloud infrastructure and control of data.
Private Cloud:
- Definition: Operated solely by an organization.
- Ownership: Owned and operated by the organization.
- Responsibility: Providers are only responsible for cloud infrastructure.
Hybrid Cloud:
- Definition: A composition of several public and private clouds.
- Composition: Public clouds provide some services, while private clouds provide others.
- Flexibility: Organizations can leverage the benefits of both public and private clouds.
Community Cloud:
- Definition: The cloud infrastructure is shared by several organizations.
- Usage: Designed to meet the needs of a specific community or group of organizations.
- Collaboration: Allows organizations within the community to share resources and achieve common goals.
Who are the five major actors in the NIST Cloud Computing Reference Architecture
Cloud Consumer:
- Definition: Entity or individual who uses cloud services.
- Role: Consumes cloud services provided by cloud providers.
Cloud Provider (CP):
- Definition: Organization that offers cloud services.
- Role: Provides cloud infrastructure, platforms, or software to cloud consumers.
Cloud Auditor:
- Definition: Conducts independent assessments of cloud services, information system operations, performance, and security of the cloud implementation.
- Role: Ensures compliance, reliability, and security of cloud services for cloud consumers.
Cloud Broker:
- Definition: Manages the use, performance, and delivery of cloud services, and negotiates relationships between CPs and cloud consumers.
- Role: Acts as an intermediary between cloud consumers and providers to optimize cloud service delivery and manage relationships.
Cloud Carrier:
- Definition: Provides connectivity and transport of cloud services from CPs to cloud consumers.
- Role: Facilitates the transmission of data and services between cloud providers and consumers by providing network connectivity and transport services.
What are the common cloud security risks and countermeasures?
Insecure Interfaces and APIs:
- Risk: Security of cloud computing relies on the security of APIs.
- Countermeasures:
- Analyze the security model of cloud provider (CP) interfaces.
- Ensure strong authentication and access controls are implemented alongside encrypted transmission.
- Understand the dependency chain associated with the API.
Malicious Insiders:
- Risk: Insiders within cloud providers pose security threats.
- Countermeasures:
- Enforce strict supply chain management and conduct comprehensive supplier assessments.
- Specify human resource requirements in legal contracts.
- Require transparency into information security practices and compliance reporting.
- Establish security breach notification processes.
Shared Technology Issues:
- Risk: Weak isolation properties of shared infrastructure in IaaS environments.
- Countermeasures:
- Implement security best practices for installation/configuration.
- Monitor environments for unauthorized changes/activity.
- Promote strong authentication and access control for administrative access.
- Enforce SLAs for patching and vulnerability remediation.
- Conduct vulnerability scanning and configuration audits.
Data Loss or Leakage:
- Risk: Data on shared storage are vulnerable.
- Countermeasures:
- Implement strong API access control.
- Encrypt and protect the integrity of data in transit.
- Analyze data protection at both design and runtime.
- Implement strong key generation, storage, management, and destruction practices.
Account or Service Hijacking:
- Risk: Attackers can obtain user privilege with stolen credentials.
- Countermeasures:
- Prohibit sharing of account credentials.
- Use strong two-factor authentication techniques.
- Employ proactive monitoring to detect unauthorized activity.
- Understand CP security policies and SLAs.
Unknown Risk Profile:
- Risk: Cloud infrastructures may gain more control over user data.
- Countermeasures:
- Disclose applicable logs and data.
- Provide partial/full disclosure of infrastructure details (e.g., patch levels, firewalls).
- Implement monitoring and alerting on necessary information.