100%(3)3 out of 3 people found this document helpful
This preview shows page 51 - 55 out of 64 pages.
Authentication onlyprotocoloUsed in Microsoft Active DirectoryoPort 88oSSO (Single Sign-On)Ability to authenticate onceand have access to everything without authenticating againUser must authenticate with Key Distribution Center (KDC)Ticket Granting Service (TGS) runs on KDCoProvides user with a ticketThe ticket is presented to the server and then access is provided without authenticating againLDAP (Lightweight Directory Access Protocol)oProvides access to directory servicesoPort 389Can be paired with TLS/SSL for encryptionSecure LDAPoVulnerable to:Buffer overflowFormat string vulnerabilitiesImproperly formatted requests
Secure LDAPoLDAP over TLS/SSLoPort 636XTACACSoCisco-proprietary protocoloAllow remote access server to communicate with authentication serverSAML (Security Assertion Markup Language)oAn XML framework forcreating and exchanging security information between online partnersoIdentity mechanismoUsed by most cloud and SaaS service providersWebEx, Google Apps, SalesforceoAuthentication assertion– validates user’s identityoAttribute assertion– contains information about the useroAuthorization assertion– identified what user is authorized to doGiven a Scenario, Select the Appropriate Authentication, Authorization, or Access ControlMultifactor AuthenticationoTwo or more of the types of authentication oSomething you know, have, are, or do or somewhere you areDiscretionary Access Control (DAC)o?????Rule-Based Access Control (RBAC)oAllow access if meets predefined conditionsRole-Based Access Control (RBAC)oRestrict access based on roles
Time-of-Day RestrictionsoRestrictions based on time of the dayAuthenticationoTokensDevices that generates a one time password ever 60 secondsExample: RSA SecureIDoSmart CardCard with a built-in processor/memory chip Can contain medical or credit informationCommon Access Card (CAC)Example of a smart cardCan give entrance to a buildingPersonal Identity Verification (PIV)Used by federal employees and contractorsoTOTP (Time-based One Time Password)Password that can only be used oncePassword changes for each 60-second windowTime synchronizationoHOTP (Hash-based One Time Password)Password changes based on eventsPassword changes on each loginoCHAP (Challenge Handshake Authentication Protocol)Sends passwords with encryptionoPAP (Password Authentication Protocol)Sends passwords in clear textoSingle Sign-On (SSO)Example: KerberosUser does not have to re-enter passwordKDC (Key Distribution Center)TGS (Ticket Granting Service)oAccess controlMac, DAC, RBAC
oImplicitly denyIf not a explicitly allowed, then denyoTrusted OSOS with security built into itAuthentication FactorsoSomething you know(passwords, login ID)oSomething you have(smart card, shifting keys)oSomething you are