Net + Mod 10 Applying Network Security Features

Question 1

Access Control

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 1

IAM (identity & Access Management)

Identification: Creating an account or ID that uniquely represents the user, device, or process on the network

Authentication: password, token, digital certificate

Authorization: what rights subjects should have on each resource, rights are granted

Accounting: Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted

Question 2

Authentication Methods

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 2

Picture

Question 3

Local Authentication

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 3

Login: Linux
Logon: Microsoft

Windows Authen:
- local sign-in: Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database
- network sign-in: LSA can pass the credentials for authentication to a network service
- Remote sign-in: VPN or Web portal

Linux Authen:
- local user account names are stored in /etc/passwd
- password is checked against a hash stored in /etc/shadow

Question 4

Single Sign-On and Kerberos

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 4

single sign-on (SSO): user to authenticate once to a local device and be authorized to access compatible application servers without having to enter credentials again

Kerberos (Cerberus): provides SSO authentication to Active Directory, as well as compatibility with other, non-Windows operating systems

• Client: which requests services
• Server: from which the service is requested
• Key Distribution Center (KDC): vouch for their identity

Question 5

Digital Certificates and PKI

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 5

Digital certificates: public key cryptography asymmetric encryption, private key cannot be derived from the public key

Public key infrastructure (PKI): prove that the owners of public keys are who they say they are

Question 6

Key Management

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 6

Key Management: operational considerations for the various stages in the lifecycle of an encryption key or key pair. (centralized)

(1) Key Generation: Creates an asymmetric key pair or symmetric secret key of the required strength, using the chosen cipher

(2) Storage: Prevents unauthorized access to a private or secret key and protects against loss or damage

(3) Revocation: Prevents use of the key if it is compromised

(4) Expiration and Renewal: Gives the certificate that validates the key a “shelf-life” to increase security

Decentralized key management model means that keys are generated and managed directly on the computer or user account that will use the certificate

Question 7

Federated Identity and SAML

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 7

Federated Identity: company trusts accounts created and managed by a different network

Security Assertion Markup Language (SAML): An XML-based data format used to exchange authentication information between a client and a service

Question 8

Remote Authentication

Mod 10.1 Authentication
Objective 4.1 | 4.3

Answer 8

Authen w/ cloud = VPN
Athen w/ host over private network = SSH or RDP

Supplicant: device requesting access, such as a user’s PC or laptop

Network access server (NAS) or network access point (NAP): Edge network appliances, switches, access points, and VPN gateways, AAA or authenticators

AAA server: authentication server, positioned within the local network, holds a database of accounts and credentials or has access to a directory server that can authenticate requests and issue SSO authorizations

• RADIUS: AAA protocol used to manage remote and wireless authentication infrastructures
• TACACS+: AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management