Chapter 11: Authentication and Remote Access
Group
A collection of users with some common criteria, such as a need for access to a particular dataset or group of applications.
Remote Access Server (RAS)
A combination of hardware and software used to enable remote access to a network.
Domain Controller
A computer that responds to security authentication requests, such as logging into a computer, for a Windows domain.
Single Sign-On (SSO)
A form of authentication that involves the transferring of credentials between systems. When a user logins to system once, they will access to all the applications and data they need, without having to log in multiple times and remember many different passwords
Security Association (SA)
A formal manner of describing the necessary and sufficient portions of the IPsec protocol series to achieve a specific level of protection
Authentication Header (AH)
A header added to a packet for the purposes of integrity checking. It is portion of the IPsec security protocol that provides authentication services and replay-detection ability. AH can be used either by itself or with Encapsulating Security Payload (ESP).
Internet Key Exchange (IKE)
A hybrid protocol that uses part Oakley and part of Secure Key Exchange Mechanism of Internet (SKEMI) protocol suites inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is used to establish a shared security policy and authenticated keys for services that require keys (such as IPsec). Formerly known as ISAKMP/Oakley, defined in RFC 2409
Oakley
A key exchange protocol that defines how to acquire authenticated keying material based on the Diffie-Hellman key exchange algorithm.
Kerberos
A network authentication protocol designed by MIT for use in client/server environments. Kerberos is built around the idea of a trusted third party.
Attribute-Based Access Control (ABAC)
A new access control schema based on the use of attributes associated with an identity. These can use any type of attributes (user attributes, resource attributes, environment attributes, and so on), such as location, time, activity being requested, and user credentials.
Domain Password Policy
A password policy for a specific domain. As these policies are usually associated with the Windows operating system, a domain password policy is implemented and enforced on the domain controller.
Encapsulating Security Payload (ESP)
A portion of the IPsec implementation that provides for data confidentiality with optional authentication and replay detection services. ESP completely encapsulates user data in the datagram and can be used either by itself or in conjunction with Authentication Headers for varying degrees of IPsec services.
Ticket-Granting Server (TGS)
A portion of the Kerberos authentication system. Two tickets are used in Kerberos. The first is a ticket-granting ticket (TGT) obtained from the authentication server (AS). The TGT is presented to a ticket-granting server (TGS) when access to a server is requested and a client-to-server ticket is issued, granting access to the server. Typically both the AS and the TGS are logically separate parts of the key distribution center (KDC).
Secure Key Exchange Mechanism for Internet (SKEMI)
A protocol and standard for the key exchange across the Internet
Internet Security Association and Key Management Protocol (ISAKMP)
A protocol framework that defines the mechanics of implementing a key exchange protocol and negotiation of a security policy
Internet Protocol Security (IPsec)
A protocol used to secure IP packets during transmission across a network. IPsec offers authentication, integrity, and confidentiality services and uses Authentication Headers (AH) and Encapsulating Security Payload (ESP) to accomplish this functionality.
Authentication Server (AS)
A server used to perform authentication tasks. Used with the Kerberos authentication protocol, this machine issues ticket-granting tickets to the requesting client.
Password Policy
A set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. It may consist of password construction, reuse restrictions, duration, protection of passwords, and consequences.
Role
A synonymous with a job or set of functions.
Username
A unique alphanumeric identifier a user will use to identify themselves when logging into or accessing the system.
Rule-Based Access Control (RBAC)
An access control mechanism based on rules. Access is either allowed or denied based on a set of predefined rules. Each object has an associated ACL (much like DAC), and when a particular user or group attempts to access the object, the appropriate rule is applied.
Role-Based Access Control (RBAC)
An access control mechanism in which, instead of the users being assigned specific access permissions for the objects associated with the computer system or network, a set of roles that the user may perform is assigned to each user. It is the access control model that most closely resembles an organization's structure.
Root
An account reserved for special functions and has more access and control over the computer system than the average user account under Unix (or Linux). Root runs all of the services on the computer as default like system does for Windows.
Administrator
An account reserved for special functions and has more access and control over the computer system than the average user account under Windows. Services do not run under it unless specifically told to.
Superuser
An account that is not typically assigned to a specific individual and is restricted, accessed only when the full capabilities of that account are required (includes administrator and root accounts).
Token
An authentication factor that typically takes the form of a physical or logical entity that the user must be in possession of to access their account or certain resources.
Virtual Private Network (VPN)
An encrypted network connection across another network, offering a private communication channel across a public medium.
eXtensible Access Control Markup Language (XACML)
An open standard XML-based language used to describe access control; implements attribute- and policy-based access control schemes
User
Any person accessing a computer system. In privilege management, a user is a single individual. This is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities.
Permissions
Control what the user is allowed to do with objects on the system — which files they may access, which programs they may execute, and so on.
Access Control List (ACL)
In regards to routers and firewalls, an ACL is a set of rules used to control traffic flow into or out of an interface or network. In terms of system resources (e.g. files and folders), an ACL lists permissions attached to an object (who is allowed to view, modify, move, or delete that object).
Group Policy Object (GPO)
Stores the group policy settings in a Microsoft Active Directory environment.
Rights
The actions a user can perform on the system itself, such as change the time, adjust auditing levels, and so on. Typically applied to operating system-level tasks.
Authorization
The granting of specific permissions based on the privileges held by the account. Checking user's ability to access data, networks, and applications are carried out as part of authorization, and in many cases this is a function of the operating system in conjunction with its established security policies.
Authentication
The matching of user-supplied credentials to previously stored credentials on a host machine, and it usually involves an account username and password. Once the user is authenticated, the authorization step takes place.
Mandatory Access Control (MAC)
The process of controlling access to information based on the sensitivity of that information and whether or not the user is operating at the appropriate sensitivity level and has the authority to access that information. An access control mechanism in which the security mechanism controls access to all objects (files); individual subjects (processes or users) cannot change that process.
Privilege Management
The process of restricting a user's ability to interact with the computer system. Occurs at many different points within an operating system or even within applications running on a particular operating system.
Discretionary Access Control (DAC)
The process of using file permissions and optional ACLs to restrict access to information based on a user's identity or group membership. The "discretionary" part of DAC means that a file or resource owner has the ability to change the permissions on that file or resource. It is the most common access control system.
Content Protection
The protection of the header and data portion of a user datagram
Context Protection
The protection of the header of a user datagram
Point-to-Point Tunneling Protocol (PPTP)
The use of generic routing encapsulation over PPP to create a methodology used for virtual private networking across a TCP/IP network; enables the secure transfer of data from a remote PC to a server.
Authentication, Authorization, and Accounting (AAA)
These are three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common.
Access Control
These mechanisms or methods are used to determine what access permissions subjects (such as user) have for specific objects (such as files).
Accounting
This is a collection of billing and other detail records. Network access is often a billable function, and a log of how much time, bandwidth, file transfer space, or other resources were used needs to be maintained. Other accounting functions include keeping detailed security logs to maintain an audit trail of tasks being performed.
Key Distribution Center (KDC)
This is a portion of the Kerberos authentication system, which consists of two logically separate parts: an authentication server (AS) and a ticket-granting server (TGS). Kerberos communicates via "tickets" that serve to prove the identity of users.
Identification
This is the process of determining identity as part of identity management and access control. It's usually performed only once, when the user ID is assigned.
Privileges
Users have the ability to run tasks on a computer system such as create a directory, delete a file, or run a program
