Authentication only protocol o Used in Microsoft Active Directory o Port 88 o

Authentication only protocol o used in microsoft

This preview shows page 51 - 55 out of 64 pages.

Authentication only protocol o Used in Microsoft Active Directory o Port 88 o SSO (Single Sign-On) Ability to authenticate once and have access to everything without authenticating again User must authenticate with Key Distribution Center (KDC) Ticket Granting Service (TGS) runs on KDC o Provides user with a ticket The ticket is presented to the server and then access is provided without authenticating again LDAP (Lightweight Directory Access Protocol) o Provides access to directory services o Port 389 Can be paired with TLS/SSL for encryption Secure LDAP o Vulnerable to: Buffer overflow Format string vulnerabilities Improperly formatted requests
Image of page 51
Secure LDAP o LDAP over TLS/SSL o Port 636 XTACACS o Cisco-proprietary protocol o Allow remote access server to communicate with authentication server SAML (Security Assertion Markup Language) o An XML framework for creating and exchanging security information between online partners o Identity mechanism o Used by most cloud and SaaS service providers WebEx, Google Apps, Salesforce o Authentication assertion – validates user’s identity o Attribute assertion – contains information about the user o Authorization assertion – identified what user is authorized to do Given a Scenario, Select the Appropriate Authentication, Authorization, or Access Control Multifactor Authentication o Two or more of the types of authentication o Something you know, have, are, or do or somewhere you are Discretionary Access Control (DAC) o ????? Rule-Based Access Control (RBAC) o Allow access if meets predefined conditions Role-Based Access Control (RBAC) o Restrict access based on roles
Image of page 52
Time-of-Day Restrictions o Restrictions based on time of the day Authentication o Tokens Devices that generates a one time password ever 60 seconds Example: RSA SecureID o Smart Card Card with a built-in processor/memory chip Can contain medical or credit information Common Access Card (CAC) Example of a smart card Can give entrance to a building Personal Identity Verification (PIV) Used by federal employees and contractors o TOTP (Time-based One Time Password) Password that can only be used once Password changes for each 60-second window Time synchronization o HOTP (Hash-based One Time Password) Password changes based on events Password changes on each login o CHAP (Challenge Handshake Authentication Protocol) Sends passwords with encryption o PAP (Password Authentication Protocol) Sends passwords in clear text o Single Sign-On (SSO) Example: Kerberos User does not have to re-enter password KDC (Key Distribution Center) TGS (Ticket Granting Service) o Access control Mac, DAC, RBAC
Image of page 53
o Implicitly deny If not a explicitly allowed, then deny o Trusted OS OS with security built into it Authentication Factors o Something you know (passwords, login ID) o Something you have (smart card, shifting keys) o Something you are
Image of page 54
Image of page 55

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture