MIS170: CH10
Physical LAN authentication technologies:
1. 802.1X
Physical security methods:
1. Barriers 2. surveillance CCTV (Closed Circuit TV) 3. Secure door access 4. Identification cards
2 types failures in biometric authentication system:
1. False acceptance 2. False rejection
define 802.1X
1. IEEE standard defines port-based network access control PNAC 2. data link layer authentication technology
Software-based LAN authentication technologies:
1. LDAP 2. Kerberos
What are the remote authentication technologies?
1. RAS 2. VPN 3. Radius 4. TACACS+ 5. CHAP
LAN authentication technologies
1. Software-based 2. Physical
5 ways to authenticate:
1. Something the user knows 2. Something the user has 3. Something the user does 4. Something the user is 5. Somewhere the user is
What are the 3 components to an 802.1X connection:
1. Supplicant 2. Authenticator 3. Authenticator Server 1 <-> 2 <-> 3
define context-aware authentication:
1. adaptive 2. authenticates users based on their usage of resources
What is an authentication system meant to do?
1. block people who cannot provide proper ID 2. allow access to people who do have proper ID
The disadvantages of multifactor authentication:
1. users need to remember more information 2. more IT costs 3. more administration 4. static (whitelists.blacklists are configure dmanually)
(not a Q) more info on KERBOS
1. uses a 3rd party ticket system (key distribution center) Within the KDC = authentication server and ticket granting server USED mostly in client-server environment (client & server verify each other's identity)
Define multifactor authentication:
2 or more types of authentication methods are used for user access control
802.1X authentication procedures
4 steps 1. Initialization If authenticator detects new supplicant - port enables port 802.1X traffic all other traffic stopped 2. Initiation Requests EAP response from supplicant and passes it to the authentication server 3. Negotiation Replies to authenticator 4. Authentication If agreement reached then transmission begins until PASS/FAIL to authenticate
Before gaining access to the data center, you must swipe your finger on a device. What type of authentication is this? a. biometrics b. single-signon c. multiefactor d. tokens
A
Which of the following results occures when a biometric system identifies a legitmate user as unauthorized? a. false rejection b. FAR c. false acceptance d. CER e. false exception
A
Which of the following are good practices for tracking users identities? a. video cameras b. key card door access systems c. sign-in sheets d. security guards
A & B
Of the following, what two authentication methods require something you physically possess? a. smart-card b. certificate c. USB flash drive d. username and password
A & C
keberos uses which of the following? a. ticket distribution service b. faraday cage c. port 389 d. authentication service
A & D port 389 used by LDAP
What types of technologies are used by external motion detectors? a. infrared b. RFID c. gamma rays d. ultrasonic
A & D (heat and sound can set them off)
what is the most secure method of authentication and authorization in its default form? a. TACACS b. KERBEROS c. RADIUS d. LDAP
B far more complicated than TACACS & RADIUS LDAP is not a possible answer as it deals with managing directories of information
BEGIN OF REVIEW QUESTIONS
BEGIN OF REVIEW QUESTIONS
Something the user is: (Inherence factors)
Biometric - retina, thumbprint
The IT director asked you to set up an authentication model in which users can enter their credentials one time, yet still access multiple server resources. what time of authentication model should you implement? a. smart card and biometrics b. 3 factor c. sso d. vpn
C
What does a virtual private network use to connect one remote host to another? a. modem b. network adapter c. internet d. cell phone
C
What is the main purpose of a physical access log? a. to enable authorized employee access b. to show who exited the facility c. to show who entered the facility d. to prevent unauthorized employee access
C
When attempting to grant access to remote users, which protocol uses sperate multiple-challenge responses for each of the AAA processes? a. radius b. tacacs c. tacacs+ d. LDAP
C
Which of the following authentication systems make use of a KDC? a. security tokens b. chap c. kerberos d. certificates
C
Which of the following is the verification of a person's identity? a. authorization b. accountability c. authentication d. password
C
Which port number does the protocol LDAP use when secured? a. 389 b. 443 c. 636 d. 3389
C
to gain access to your network, users provide a thumbprint and a username and a password. What type of authentication model is this? a. biometrics b. domain log in c. multifactor d. single sign-on
C
Which of the following is an authentication system that uses udp as a transport mechanism? a. LDAP b. KERBEROS c. RADIUS d. TACACS+
C all others use TCP
2 items are needed before a user can give access to the network. What are they? a. authentication/authorization b. authorization/identification c. identification/authentication d. password/authentication
C network needs to identify and then authenticate
which of the following is the final step a user needs to take before the user can access domain resources? a. verification b. validation c. authorization d. authentication
C authenticate then authorization
What are two examples of a common single sign-on authentication configurations? a. biometrics-based b. multifactor authentication c. kerberos-based d. smart card-based
C & D
Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.) A . A software-based token system B. Access control lists C. A mantrap D. Biometrics
C & D Mantrap: device made to capture a person Biometric is physical A&B are logical security
Which 2 options can prevent unauthorized employees from entering a server room: a. bollards b. cctv c. security guard d. 802.1X e. proximity reader
C & E no proximity card no enter
Which of the following is an example of two-factor authentication? a. L2TP and IPsec b. username and password c. thumbprint and keycard d. client and server
C (2 pieces of identity are needed prior to authentication)
Which of the following about authentication is false?**RESTUDY** a. RADIUS is a client-server system that provides AAA b. PAP is insecure because usernames and passwords are sent in clear text c. MS-CHAPv2 is not capable of mutual authentication of client/server d. CHAP is more secure than PAP because it encrypts usernames and passwords
C - MS-CHAP2 is capable of mutual authentication
which is not a logical method of access control? a. username/pass b. access control lists c. biometrics d. software based policy
C - biometric deals with physical attributes
CHAP
Challenge Handshake Authentication Protocol authentication scheme used by the point-to-point protocol which is standard for dial up (RAS)
How would you analyze biometric system performance?
Crossover error rate: CER the lower it is the better the biometric system is
Which of the following is not a common criteria when authenticating users? a. something you do b. something you are c. something you know d. something you like
D
which best describes the difference between radius and tacacs+? a. radius is a remote access authentication service b. radius seperates AAA capabilities c. TACACS+ is a remote access authentication service d. TACACS+ seperates AAA capabilities
D ALL OTHER ANSWERS INCORRECT
In a secure environment, when authorization mechanics preform better? a. RADIUS because it is a remote access authentication service b. RADIUS because it encrypts cient-server passwords c. TACACS+ because it is a remote access authentication service d. TACACS+ because it encrypts client-server negotiation dialogues
D - both are remote authentication
Your org provides employee badges that are encoded with a private encryption key and specific personal information. Encoding is used to provide access to the orgn's network. What type of authentication method is being used? a. token b. biometrics c. kerberos d. smart card
D - example of a smart card a = software based c = authentication technology b = not physical
Which of the following permits or denies access to resources through the use of ports? a. HUB b. 802.11n c. 802.11x d. 802.1X
D - implements Port-based network access control PNAC
Which of the following is an authentication and accounting service that uses TCP as its transport mechanism when connecting to routers and switches? A. KERBEROS B. RADIUS C. CAPTIVE PORTAL D. TACACS+
D = A,A,A service A only authenticates B uses UDP C redirects people in an effort to authenticate (using coffee shop wifI)
Which authentication method completes in the following order: logon request->encrypts value respones->server->challenge->compare encrypted results->authorize or fail a. security tokens b. certificates c. kerberos d. chap
D.
What are the several types of EAP authentication?
EAP-MD5 EAP-TLS EAP-TTLS EAP-FAST PEAP
Define a suppliccant:
End user - software client running on a workstation
How does EAP work with 802.1X
Extensible authentication protocol - 802.1X is an authentication mechanism and defines how EAP is encapsulated within messages
Software based LAN authentication LDAP:
Lightweight directory access protocol - application layer protocol used for accessing and modifying directory services data
Somewhere the user is:
Location - IP address
What are the authentication models?
MFA (multifactor authentication) C-AA (context-aware authentication) SSO (single sign-on)
PEAP?
Protected Extensible Authentication Protocol
What are the 2 common protocols for remote authentication?
RADIUS ---uses UDP ---combines AA functions ---partially encrypts access-request packet TACACS+ ---uses TCP ---Seperates each AAA into their own operations (added layer of security) ---fully encrypts access-request packet ---provides more types of authentication requests
Something the user does:
Signature or gesture
Newer version of TACACS?
TACACS+
Define Identification:
When a person is in a state of being identified. STEP 1
Define Authentication:
When a person's identify is confirmed or verified through the use of a specific system. STEP 2
Authorization:
When a user is given permission to access certain resources. STEP 3
Define an authenticator:
a wireless access point
Define an authentication server:
authentication database
Software based LAN authentication Kerbos:
authentication protocol that enables computers to prove their identify to each other in a secure manner (mutual authentication)
Define false acceptance:
biometric system authenticates a user who should NOT be allowed to access a system
Define false rejection:
biometric system denies a user who should actually be allowed to access a system
Which of the following would fall into a category of "something a person is" a. passwords b. passphrases c. fingerprints d. smart cards
c
what is a VPN
connection between two or more computers or devices on the same private ntework
Preventive controls:
door access, smart cards, biometric readers
Org currently runs active directory infrastructure. Which of the following best correlates to the host authentication protocol used within that organizations's IT environment? a. TACACS+ b. KERBEROS c. LDAP d. 802,1X
hint = active directory means = window server is acting as domain controller domain controller = KERBEROS set a = authentication system c = protocol (not authentication method) in windows that controls active directory objects would work with KERBEROS d = authenticaion method used by network adapters
Define identity proofing:
initial validation of an identity
Something the user knows (knowledge factors)
password, pin
Remove Authentication Dial-In User Service (RADIUS)
provides centralized adminisration of dial-up
Terminal Access Controller Access Control System (TACACS)
remote authentication protocol used for UNIX
Biometric
science of recognizing humans based on one or more physical characteristics (Used in authentication and access control)
RAS
service that enables dial-up and various types of VPN connections
Something the user has (possession factors)
smart card, ID card
When is RADIUS used?
to authenticate users to authorize users to account for usage of the services
define single sign-on
user can log in once but gain access to multiple systems without relogging
Detective controls:
video surveillance , motion detector
When should a VPN concentrator be used?
when large organizations that need hundreds of simultaneous connections
