Comptia Single Sign On

allowing the correct users into a system

Identification means finding out who someone is, authentication is a mechanism of verifying that identification

Single Factor Authentication (SFA) because only one type of authentication is checked (ie user name/password)

Client and server both authenticate themselves to each other

using two or more access methods as part of the authentication system (ie, login/password and smart card) However, password and pin is still one factor as they both use the "something you know" methodology

Synonymous with one another, have multiple layers of security (ie, guard at door, but lock on door) so firewall, antivirus, IDS, etc

Operation security focuses on how an organization achieves its goals and management security. Focus is on topology and connections instead of physical components where the data is stored

similar to certificates in that they are used to identify and authenticate the user. They contain rights and access privileges of that token bearer as part of the token pg 135 figure 4.3

a federation is a collection of computer networks that agree on standards of operation such as security standards. Normally, these are networks that are related in some way. In some cases, it could be an industry association that establishes such standards

means of linking a user's identity with their privileges in a manner that can be used across business boundaries (for example, Microsoft Passport or Google checkout)

Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Challenge Handshake Authentication Protocol (CHAP) Time-Based One-Time Password (TOTP) HMAC-Based One-Time Password (HOTP)

an older authentication protocol that is no longer used. PAP sends the username and password to the authentication server in plain textz

replaced PAP. Main difference is that SPAP encrypts username and password

designed to stop man-in-the-middle attacks. During the initial authentication, the connecting machine is asked to generate a random number (usually a hash) and send it to the server. Periodically the server will challenge the client machine, demanding to see that number again. If an attacker has taken over the session, they won't know that number and won't be able to authenticate.

algorithm uses a time-based factor to create unique passwords

algorithm is base don using a Hash Message Authentication Code (HMAC) algorithm.

older protocol that was used in early remote access environments and serves as the starting point for most remote discussions. Originally designed to connect Unix systems in a dial-up environment, and it only supported serial communications

Offers support for multiple protocols, including AppleTalk, IPX, and DECnet. PPP works with POTS, Integrated Services Digital Network (ISDN) and other faster connections such as T1. PPP doesn't provide data security, but it does provide authentication using CHAP.

Would normally use 64 Kbps B channel for transmission. Allows many channels in a network connection such as ISDN to be connected or bonded together to form a single virtual connection. Works by encapsulating the network traffic in a protocol called the Network Control Protocol (NCP). Authentication is handled by the Link Control Protocol (LPC). Allows remote users to log on and have access as though they were local user\s on the network

Point-to-point tunneling protocol (PPTP) supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks. negotiation is done in the clear, then the channel is encrypted. A packet-capture device, such as a sniffer, can capture the negotiation process. PPTP uses port 1723 and TCP

created by Cisco as a method of creating tunnels primarily for dial-up connections. Similar in capability to PPP and shouldn't be used over WANs. Provides authentication, but doesn't provide encryption. L2F uses port 1701 and TCP

Microsoft and Cisco combined their protocols into Layer 2 Tunneling Protocol (L2TP). Hybrid of PPTP and L2F. Primarily a point-to-point protocol. Works over IPX, SNA, and IP, so it can be used as a bridge across many types of systems. L2TP does not provide data security, the data is not encrypted. Security can be provided by IPSec. L2TP uses port 1701 and UDP

Secure Shell (SSH) originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides alternative, security-equivalent programs for such Unix standards as Telnet, FTP. SSH uses port 22 and TCP

Internet Protocol Security (IPSec) isn't a tunneling protocol, used in conjunction with tunneling protocols. Oriented primarily toward LAN-to-LAN connection, but it can also be used with remote connections. Provides secure authentication and encryption of data and headers, which makes it a good choice for security. Tunneling or Transport modes. Tunneling modes data and message headers encrypted. Transport mode only encrypts data. It is an add-on to IPv4 and built into IPv6.

A mechanism that allows authentication of remote and other network connections. Originally intended for use on dial-up connections, it has moved well beyond that and offers many state-of-the-art features. The RADIUS protocol is an IETF standard. Can be managed centrally and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized.

client/server-oriented environment and it operates in a manner similar to RADIUS. Extended TACACS (XTACACS) replaced the original version and combined authentication and authorization with logging to enable auditing The most current method is TACACS+. Replaces the previous two incarnations. Allows csredentials to be accepted from multiple methods, including Kerberos. Client/server process occurs in the same manner as RADIUS process. Implemented by Cisco. Widely accepted as an alternative to RADIUS

allows you to create groups of users and systems and segment them on the network. The segmentation lets you hide segments of the network from other segments and thereby control access. You can also set up VLANs to control the paths that data takes to get from one point to another. A VLAN is a good way to contain network traffic to a certain area in a network. Key benefit for security is grouping users with similar data sensitivity levels

an open standard based on XML that is used for authentication and authorization data. Service providers often use SAML to prove the identity of someone connecting to the service provider. Current version is SAML v2.0

a standardized directory access protocol that allows queries to be made of directories (specifically, pared down X.500-based directories). If a directory service supports LDAP, you can query that directory with an LDAP client, but it's LDAP itself that is growing in popularity and is being used extensively in online white and yellow pages. Main access protocol used by Active Directory. It operates, by default, at port 389. LDAP syntax uses commas between names. LDAP breach can be quite serious, so many use secure LDAP (LDAPS), all communications are encrypted with SSL/TLS and port 636 is used.

authentication protocol named after the mythical three-headed dog that stood at the gates of Hades. Originally designed by MIT, Kerberos is very popular as an authentication method. It allows for a single sign-on to a distributed network. Uses a key distribution center (KDC) to orchestrate the process. KDC authenticates the principal (user, program, or system) and provides it with a ticket. The ticket can be used to authenticate against other principals. Only significant weakness is that the KDC can be a single point of failure.

One of the big problems that larger systems must deal with is the need for users to access multiple systems or applications. This may require a user to remember multiple accounts and passwords. The purpose of a single sign-on (SSO) is to give users access to all the applications and systems they need when they log on

retains information about all access rights for all users and groups in the network. When a user logs on to the system, AD issues the user a globally unique identifier (GUID). Applications that support AD can use this GUID to provide access control.

Mandatory Access Control (MAC) All access is predefined Discretionary Access Control (DAC) Incorporates some flexibility Role-Based Access Control (RBAC) Allow the user's role to dictate access capabilities Rule-Based Access Control (also RBAC) limits the user to settings in preconfigured policies

variation of Mandatory Access Control (MAC). Involves a lattice composed of subjects (users, systems, etc) and resources, and the resources are labeled to provide access control

Relatively inflexible methods for how information access is permitted. In a MAC environment, all access capabilities are predefined. Users can't share information unless their rights to share it are established by administrators. Enforces a rigid model of security, considered most secure security model. Lack of flexibility and required change over time are weaknesses. Inability of administrative staff to address these changes can sometimes make the model hard to maintain.

network users have some flexibility regaridng how information is accessed. This model allows users to share information dynamically with other users. The method allows for a more flexible environment, but it increases the risk of unauthorized disclosure of information.

approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Provide more flexibility than the MAC model and less flexibility than the DAC model. Have the advantage of being strictly based on job function as opposed to individual needs. Sometimes called group-based control or group-based permissions.

uses the settings in preconfigured security policies to make all decisions. Rules can be: Deny all those who specifically appear in a list (allow list) Deny only those who specifically appear in the list (true deny list) Entries in the list may be usernames, IP addresses, hostnames, or even domains. Rule-Based models are often being used in conjunction with Role-Based to add greater flexibility. The easiest way to implement Rule-Based Access Control is with access control lists (ACLs).

Port security works at level 2 of the OSI model and allows and administrator to configure switch ports so that only certain MAC addresses can use the port.

Limit access to the network to MAC address that are known, and filter out those that are not. Even in a home network, you can implment MAC filtering with most routers and typically have an option of choosing to allow only computer with MAC addresses that you list. MAC filtering is not foolproof, and a quick look in a search engine will turn up tools that can be used to change the MAC address and help miscreants circumvent this control.

As discussed in the following section, adding port authentication to MAC filtering takes security for the network down to the switch port level and increases your security exponentially Defines port-based security for wireless network access control. Offers a means of authentication and defines the Extensible Authentication Protocol (EAP) over IEEE 802 (EAPOL) The access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.

All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.

EAP over LAN (EAPOL) chapter 12

Flood guard protection feature built into many firewalls that allows the administrator to tweak the tolerance for unanswered login attacks. Reducing the tolerances makes it possible to lessen the likelihood of a successful DoS attack. Loop protection is a similar feature that works in layer 2 switching configuration is intended to prevent broadcast loops. The Spanning Tree Protocol (STP) is intended to ensure loop-free bridged Ethernet LANs. It operates at the Data Link layer and ensures only one active path exists between two stations.

Network bridging occurs when a device has more than one network adapter card installed and the opportunity presents itself for a user on one of the networks to which the device is attached to jump to the other. Although multiple cards have been used in servers for years, it is not uncommon today to find multiple cards in laptops and the bridging to occur without the user truly understanding what is happening.

crucial to identifying problems that occur related to security.

any operating system that meets the government's requirements for security. The most common set of standards for security is Common Criteria (CC). This document is a joint effort among Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. The standard outlines a comprehensive set of evaluation criteria broken down into seven Evaluation Assurance Levels. EAL 1 to EAL 7

EAL 1 is primarily used when the user wants assurance that the system will operate correctly but threats to security aren't viewed as serious. EAL 2 requires products developers to use good design practices. Security isn't considered a high priority. EAL 3 requires conscientious development efforts to provide moderate levels of security. EAL 4 requires positive security engineering based on good commercial development practices. EAL 5 is intended to ensure that security engineering has been implemented in a product from the early design phases. It's intended for high levels of security assurance. EAL 6 provides high levels of assurance of specialized security engineering. This certification indicates high levels of protection against significant risks. EAL 7 is intended for extremely high levels of security. Requires extensive testing, measurement, and complete independent testing of every component. EAL has replaced Trusted Computer Systems Evaluation Criteria (TCSEC, U.S.) system for certification. Replaced Information Technology Security Evaluation Criteria (ITSEC, Europe)

Change the default password Walk through advanced settings Keep the firmware upgraded