Security+ (get certified, get ahead) - chapter 1
Remote Authentication Dial-In User Service (RADIUS)
A centralized authentication service. Authentication requests are forwarded to a central server. It use the UDP protocol which uses best effort delivery mechanism, and it only encrypts the password
Kerberos
A network authentication mechanism used within Windows Active Directory domains and some UNIX realm. It uses a database of objects such as Active Directory and a KDC to issue time stamped tickets that expire after a certain period. It requires internal time synchronization and uses port 88.
Single Sign-on
Enhances security by requiring the users to use and remember only one set of credentials for authentication. Once signed on, this one set of credentials is used throughout a user's entire session. It can provide cental authentication against a federated database for different operating systems.
Availability
Ensures systems are up and operationalwhen needed and uses fault tolerance and redundancy methods like, RAID, clustering, backups, etc, to address single points of failure
Confidentiality
Prevents unauthorized disclosure and is enforced with access controls and encryption. Authentication, access control methods, physical security and permissions help to enforce confidentiality
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP & MS-CHAPv2
Microsoft's improvement to CHAP for Microsoft clients.. MS-CHAPv2 can perform mutual authentication. The client authenticates to the server and the server authenticates to the client.
Risk
The liklihood that a threat will exploit a vulnerability. Mitigation reduces the chances that a threat will exploit a vulnerability by implementing controls
Identity Proofing
The process of verifying that people are who they claim to be prior to issuing them credentials for a system.
IEEE 802.1X
A port based authentication protocol that provides authentication when a user connects to a specific access point, or in this context, a logical port. Its primary purpose is to secure the authentication process prior to a client actually gaining access to a network.
Mutual Authentication
Accomplished when both entities in a session authenticate with each other prior to exchanging data. This provides assurances of the server's identity before the client transmits data.
Password Authentication Protocol (PAP)
Authentication method used with RAS that send the password in clear text. Rarely used today. normally used with dial up connections.
Challenge Handshake Authentication Protocol (CHAP)
Authentication method used with RAS that uses a handshake process where the server challenges the client. The client then responds with appropriate authentication information. The client hashes the information before sending it back to the server
Defense in Depth
Employs multiple layers to make it harder for attacks to exploit a system or network
Remote Access Services (RAS)
Provide access to an internal network from an outside source.
Integrity
Provides assurances that data has not been modified and is enforced with hashing (MD5, HMAC or SHA1) Loss can occur through unauthorized or unintended changes
Non-repudiation
Provides proof of a person's identity. It is used to prevent entities from denying they took an action. examples would be; a digital signature or audit logs. An audit log provides non-repudiation since its entries in lude who, what, where and when
Authentication
Provides proof that users are who they claim to be by presenting something like a user name and password. Identification - user claims an identity Authentication - user proves the identity Authorization - access granted based on proven identity
LDAP
Specifies formats and methods to query dirctories, like Active Directory. It uses port 389 for unencrypted transmission and 636 when encrypted with eithe SSL or TLS.
Implicit Deny
Unless something is explicitly allowed, it is denied
Strong Password
Use a mix of character types with a minimum password length such as 8 or 10 characters. The key space of a pasword is calculated as C^N, where C indicates the number of possible characters and N indicates the password length
TACACS+
Used by Cisco for authentication and can use Kerberos, allowing it to interact with a Microsoft environment. It uses TCP, encrypts the entire authentication process and uses multiple challenges and responses.