Security + CH8

Created by semperfivmi07 

Upgrade to
remove ads

ch8

Definition of Authentication (in two contexts)

. as it relates to access control 2. as one of the three key elements of security—authentication, authorization, and accounting

Authentication, Authorization, and Accounting (AAA)

three key elements in security, makes it possible to determine who the user is, what the user can do, and what the user did to help control access to network resources, enforce security polices, and audit usage

Authentication

provides a way of identifying a user, typically by having them enter a valid password before granting access

Authorization

the process that determines whether the user has the authority to carry out certain tasks, often defined as the process of enforcing policies

Accounting

measures the resources a user "consumes" during each network session

AAA servers

Servers dedicated to performing AAA functions, can provide significant advantages in a network

One-Time Passwords

Dynamic passwords that change frequently

Token

typically a small device with a window display

Challenge-based OTPs

Authentication server displays a challenge (a random number) to the user

Standard biometrics

Uses a person's unique characteristics for authentication (what he is)

Two Types of fingerprint scanners

Static and dynamic

Static fingerprint scanner

requires the user to place the entire thumb or finger on a small oval window on the scanner

Dynamic fingerprint scanner

requires the user to swipe a finger across the opening or slit

Behavioral biometrics

Authenticates by normal actions that the user performs

Keystroke dynamics

Attempt to recognize a user's unique typing rhythm

Keystroke dynamics uses two unique typing variables

dwell and flight time

Dwell time

the time it takes for a key to be pressed and then released

Flight time

the time it takes between keystrokes

Voice recognition

Used to authenticate users based on the unique characteristics of a person's voice

Phonetic cadence

Speaking two words together in a way that one word "bleeds" into the next word, becomes part of each user's speech pattern

Computer footprint

When and from where a user normally accesses a system

Cognitive biometrics

Related to the perception, thought process, and understanding of the user

Authentication credentials

one-time passwords, standard biometrics, behavioral biometrics, voice recognition, computer footprints, cognitive biometrics

Authentication Models

single and multi-factor authentication, single sign-on, windows live ID, Windows Cardspace, OpenID

One-factor authentication

Using only one authentication credential

Two-factor authentication

Enhances security, particularly if different types of authentication methods are used

Three-factor authentication

Requires that a user present three different types of authentication credentials

Single sign-on

using one authentication to access multiple accounts or applications

Federated identity management (FIM)

When those networks are owned by different organizations

Identity management

Using a single authenticated ID to be shared across multiple networks

Windows Live ID

Originally introduced in 1999 as .NET Passport, requires a user to create a standard username and password

Windows CardSpace

Feature of Windows that is intended to provide users with control of their digital identities while helping them to manage privacy

OpenID

A decentralized open source FIM that does not require specific software to be installed on the desktop

The most common type of authentication and AAA servers

RADIUS, Kerberos, TACACS+, and generic servers built on the Lightweight Directory Access Protocol (LDAP)

RADIUS (Remote Authentication Dial in User Service)

an authentication server for high volume service control applications

Kerberos

An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users

Kerberos process

User is provided a ticket that is issued by the Kerberos authentication server, The user presents this ticket to the network for a service, The service then examines the ticket to verify the identity of the user

Terminal Access Control Access Control System (TACACS+)

An industry standard protocol specification that forwards username and password information to a centralized server

Lightweight Directory Access Protocol (LDAP)

a simpler subset of the Directory Access Protocol

Directory Service

A database stored on the network itself that contains information about users and network devices

X.500

A standard for directory services, created by ISO

White-pages service

Capability to look up information by name

Yellow-pages service

Browse and search for information by category

Directory information base (DIB)

the repository in which X.500 information is held

Directory information tree (DIT)

the tree structure of a directory information base

Directory Access Protocol (DAP)

the X.500 standard that defines a protocol for a client application to access the X.500 dirctory

LDAP is an ____ protocol

open

Extended Authentication Protocols (EAP)

Management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server

The EAP protocols can be divided into three categories

Authentication legacy protocols, EAP weak protocols, and EAP strong protocols

Authentication Legacy Protocols

protocols no longer extensively used for authentication

Three authentication legacy protocols

PAP, CHAP, MS-CHAP

Password Authentication Protocol (PAP)

one of the earliest, basic protocol that was used to authenticate a user to a remote access server or to an Internet server provider (ISP) and transmit unencrypted passwords in clear text

Challenge-Handshake Authentication Protocol (CHAP)

three-way handshake. Both the device and the authenticator share a secret key

Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)

the Microsoft implementation of CHAP (2 versions), provides a method for changing passwords and retrying in the event of a failure

EAP weak protocols

EAP-MD-5, LEAP

Extended Authentication Protocol-MD5 (EAP-MD5)

allows a RADIUS server to authenticate devices stations by verifying a hash known as MD5 of each user's password

Lightweight EAP (LEAP)

requires mutual authentication and delivering keys used for WLAN encryption using CISCO clients

EAP strong protocols

EAP-TLS, EAP-TTLS/PEAP

EAP with Transport Layer Security (EAP-TLS)

requires the device and RADIUS server prove their identities to each other by using enhanced security (known as public key cryptography using digital certificates)

EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)

designed to simplify the deployment of 802.1x. Both use Windows logins and passwords.

PEAP

more flexible scheme because it creates an encrypted channel between the client and the authentication server

Managing remote authentication and security usually includes:

Using remote access services, Installing a virtual private network, Maintaining a consistent remote access policy

Remote Access Services (RAS)

Any combination of hardware and software that enables access to remote users to a local internal network. Provides remote users with the same access and functionality as local users

Virtual private network (VPN)

One of the most common types of RAS, uses an unsecured public network, such as the Internet, as if it were a secure private network

Common types of VPNs

VPDN and VPN

Remote-access VPN or virtual private dial-up network (VPDN)

a user-to-LAN virtual private network connection used by remote users

Site-to-site VPN

a virtual private network in which multiple sites can connection to other sites over the internet

Endpoint

end of the tunnel between VPN devices

VPN concentrator

Aggregates hundreds or thousands of multiple connections

Advantages of VPN technology

Cost savings, Scalability, full protection, Speed, Transparency, Authentication, Industry standards

Disadvantages to VPN technology

Management, Availability and performance, Interoperability, Additional protocols, Performance impact, Expense

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set