Identity And Access Services

Question 1

Kerberos

• What does it do
• What does it prevent
• What does it have, what does that prevent
• SSO?
• AAA?

Answer 1

Kerberos

• Network authentication mechanism used with Windows Active Directory and some Unix realms
• Provides mutual authentication.
• Mutual authentication prevents man in the middle attacks
• SSO (Single Sign On) - only authenticate once
• Tickets and timestamps prevent replay attacks.
• Not AAA - no accounting

Question 2

NTLM

-Vulnerable to what

Answer 2

NTLM
New Technology LAN Manager
-Message digest hashing algorithm to challenge users and check credentials
-Confidentiality, integrity, authentication
-Windows
-Somewhat insecure
-Vulnerable to pass the hash attacks (use someone else’s password hash to log in)
-Use Kerberos instead

Question 3

LDAP

-Port

Answer 3

Windows active directory domains and linux realms

• use to identify objects with codes like CN=Users and CD=GetCertifiedGetAhead (X.500 attribute/value pairs, most specific listed first; hierarchical tree)
• TCP/IDP port 389
• LDAPS encrypts w/ TLS

Question 4

RADIUS

• What is it?
• What does it provide?
• How does it work?
• Encryption?
• key?
• Connection?
• Does it challenge

Answer 4

RADIUS

• Authentication service that provides central authentication for remote clients
• AAA - Authentication, Authorization, Accounting
• All VPNs connect to RADIUS server, so only change password once, all VPNs will see
• Common for RADIUS server to access LDAP server holding accounts
• Encrypts password packets, but not entire authentication process
• Used shared key (shared secret) - symmetric encryption
• Uses UDP - best effort delivery, not guaranteed delivery
• Server does not challenge

Question 5

Diameter

• What is it?
• What does it provide?
• What does it use?
• Security
• Does it challenge

Answer 5

Diameter

• Authentication service that provides central authentication for remote clients
• AAA - Authentication, Authorization, Accounting
• Extension of RADIUS
• TCP - guaranteed delivery
• Can secure transmissions with EAP
• Server does not challenge

Question 6

CHAP

• What is it?
• What does it do?
• Is it secure?
• Does it challenge?

Answer 6

CHAP

• Challenge Handshake Authentication Protocol
• VPN authentication service
• Server send encrypted challenge
• Client responds with hash calculated from challenge and password and nonce
• Server compares received hash with stored hash
• Not plaintext - more secure than PAP

Question 7

MS-CHAP

• What is it?
• What doe sit provide?
• How does it work?
• Is it good?

Answer 7

MS-CHAP

• Microsoft CHAP
• VPN authentication service (provides authentication)
• v2 supports mutual authentication
• Don’t use! Uses DES, easy to brute force 256 possible keys

Question 8

PAP

Answer 8

PAP

• Password Authentication Protocol
• VPN authentication service
• Sends passwords as cleartext
• Should not use

Question 9

TACACS+

• What is it?
• What does it provide?
• Encryption?
• How does it work?
• Does it challenge?
• SSO?

Answer 9

TACACS+

• Authentication service that provides central authentication for remote clients
• AAA - Authentication, Authorization, Accounting
• Alternative to RADIUS
• Cisco
• Encrypts entire authentication process
• Multiple challenge/response
• Can be used with with Kerberos
• No SSO
• TCP

Question 10

OAuth

Answer 10

OAuth

• Authorization framework
• Use Google, Facebook, Twittter, etc accounts to authorize
• Not an authentication protocol
• OpenID Connect handles single sign-on authentication

Question 11

NAC

Answer 11

NAC
Network Access Control
-Inspect clients to ensure healthy
-user or system authentication
-802.1x is a form of NAC
-Encryption of traffic to the wireless and wired network using protocols for 802.1X such as EAP-TLS, EAP-PEAP or EAP-MSCHAP
-Often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check.

Question 12

Uses a challenge message during authentication

-Three answers

Answer 12

Uses a challenge message during authentication

• CHAP - Challenge Handshake Authentication Protocol
• MS-CHAPv2 - mutual authentication
• NTLM
• TACAS+ (multiple challenge/response)

Question 13

Directory Services

-What technology to implement?

Answer 13

Directory Services

• Authentication protocol: Kerberos
• LDAP or LDAPS

Question 14

RADIUS Federation

Answer 14

RADIUS Federation

• 802.1x and RADIUS can create federation
• Two or more entities share
• SSO