4.2
CHAP (Challenge Handshake Authentication Protocol)
Also uses PPP and authenticates remote users, but it is more secure than PAP. The goal of CHAP is to allow the client to pass credentials over a public network such as a phone or the internet without allowing attackers to intercept the data and later use it in an attack.
SAML (Security Assertion Markup Language)
An XML-based data format used to exchange authentication information between a client and a service. it provides SSO for web-based applications.
Kerberos
Is a network authentication mechanism used within windows active directory domains and some unix environments known as realms. It's a network authentication protocol within a microsoft windowsactive directory domain or a unix realm. it uses a database of objects such as active directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period. It uses a symmetric key cryptography to prevent unauthorized disclosure and to ensure confidentiality.
NTLM (New Technology LAN Manager)
Is a suite of protocols that provide authentication, integrity, and confidentiality within windows systems. they use a message digest hashing algorithm to challenge users and check their credentials. there are three versions of NTLM: NTLML: is a simple MD4 hash of a user's password. NTLM or MD4 are recommended for use today. NTLMv2: is a challenge-response authentication protocol. when a user attempts to log on, NTLMv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name, the user's password, the current time, and more. NTLM2 Session: improves NTLMv2 by adding mutual authentication. in other words the client authenticates with the server and the sever also authenticates with the client.
Diameter
Is an extension of RADIUS. Many organizations have switched over to this due to its extra capabilities. It uses TCP instead of UDP which is used by RADIUS. It provides centralized authentication.
TACACS+ Terminal Access Control Access Control System+
Is the cisco alternative to RADIUS. it provides two important security benefits over RADIUS. first it encrypts the entire authentication process whereas RADIUS encrypts only the password. second TACACS+ uses multiple challenges and responses between the client and the server. it can interact kerberos. this allows a cisco vpn concentrator to interact with a microsoft active directory environment.
MSCHAP (Microsoft Challenge Handshake Authentication Protocol)
MS introduce MSCHAP as an improvement over CHAP for Microsoft clients. MS-CHAP supported clients as old as Windows 95. Later Microsoft improve MS-CHAP with MS-CHAPv2.
UTM (unified threat management)
Performs URL filtering, malware inspection, and content inspection of all traffic sent through it.
NAC (Network Access Control)
Provides continuous security monitoring by inspecting computers and preventing them from accessing the network if they don't pass the inspection.
MAC (Mandatory Access Control)
Uses labels to determine access. security admins assign labels to both subjects (users) and objects (files and folders). when the labels match, the system can grant a subject access to an object. when the labels don't match the access model blocks access.
OpenID Connect
Works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials
proximity cards
are small credit card-sized cards that activate when they are in close proximity to a card reader.
ABAC (Attribute Based Access Control)
evaluates attributes and grants access based on the value of the attribute. attributes can be almost any characteristic of a user, the environment, or the resources. ABAC uses policies to evaluate attributes to grant access when the system detects a match in the policy.
DAC (Discretionary Access Control)
every object such as files and folders has an owner and the owner establishes access for the objects. many operating systems such as windows and most unix-based systems use the DAC model. the DAC model specifies that every object has an owner, and the owner has full explicit controls of the object. microsoft NTFS uses the DAC model.
RADIUS
is a centralized authentication service. instead of each individual VPN server needing a separate database to identify who can authenticate, the VPN servers forward the authentication requests to a central RADIUS server. RADIUS can also be used as an 802.1x server with WPA2 Enterprise mode.
OAUTH
is an open standard for authorization many companies use to provide secure access to protected resources. instead of creating a different account for each website you access, you can often use the same account that you've created with Google, FaceBook, PayPal, Microsoft or Twitter.
Shibboleth
is one of the federated identity solutions. It is open source and freely available make it more affordable solution than some of the commercially available federated identity solutions. it also includes Open SAML libraries written in C++ and Java making it easier for developers to expand its usefulness.
PAP (Password Authentication Protocol)
is used with point-to-point protocol (PPP) to authenticate clients. a significant weakness of PAP is that it sends passwords over a network in cleartext representing a significant security risk. It uses a password and a pin.
Federation
requires a federated identity management system that all members of the federation use.
LDAP (Lightweight Directory Access Protocol)
specifies formats and methods query directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. LDAP is an extension of the X.500 standard that Novell and early microsoft exchange server versions used extensively. Windows domains use activity directory, which is based on LDAP. active directory is a directory of objects (such as users, computer and groups), and it provides a single location for object management
Role-Based Access Control (RBAC)
uses roles to manager rights and permissions for users. this is useful for users within a specific department who perform the same job functions. an admin creates the roles and then assigns specific rights and permissions to the roles instead of to the users. when an admin adds a user to a role, the user had all rights and permissions of that role.
Rule-Based Access Control
uses rules. the most common example is with rules in routers or firewalls. however more advanced implementations cause rules to trigger within applications too.
