AAA and Identity Management Flashcards Preview

SCOR 350-701 > AAA and Identity Management > Flashcards

Flashcards in AAA and Identity Management Deck (60)
Loading flashcards...
1
Q

Types of authentication where the user provides a secret that is only know by him on her. Ex. providing a password, pin or answering secret question

A

Authentication by Knowledge

2
Q

NIST special publication which provides guidelines for authentication and passwords strenght

A

NIST Special Publication 800-63B

3
Q

Types of authentication where user is asked to provide proof that he owns something specific. Ex, system might require an employee to use a badge to access a facility. Use of token or smart card,OTP

A

Authentication by ownership

4
Q

Type of authentication that authenticate user based on some physical or behavioral characteristic, sometimes referred to as biometric attribute. Eg, fingerprints, facial recognition, retina and iris, palm and geometry, blood and vascular info, voice recogntion. Eg of behavioral characteristics : signature dynamic - key stroke

A

Authentication by Characteristics

5
Q

Authentication when only one factor is presented. Eg password

A

Single factor authentication

6
Q

Authentication when two or more factor are presented. e

A

Multi factor authentication

7
Q

Company acquired by Cisco. Very popular multifactor authentication solutions that is used by small , medium and large organization. Provides protection of on-premises and cloud-based application. Done by preconfigure solutions and generic config via Radius, Security Assertion Markup Language (SAML) , LDAP and more

A

Duo security

8
Q

Another component of Duo Solution. Provides multifcator authentication access to cloud based application

A

Duo Access Gateway

9
Q

Assumes that no system or user will be trusted when requesting access to corporate network, system and application hosted on on-premised or cloud. you must first verify their trustworthiness before granting access.

A

Zero Trust

10
Q

Based on Google’s own implementation of a “zero-trust” model which shift access control from the network perimeter firewalls and other security devices to individual devices and users.

A

BeyondCorp

11
Q

Concept of centralised identiy is also referred as?

It handles authentication, authorization, user attribute exchange and user management

A

Federated Identity

12
Q
  • Elements that are part of an SSO
  • Call external API to authenticate and authorize users. Is also used to make sure that applicaitons and services do not store password and user information on-site
A

Delegation

13
Q
  • Elements that are part of an SSO

- Is an SSO environment where all resources and user and link to a centralised database

A

Domain

14
Q
  • Elements that are part of an SSO

- A vector through which identity can be confirmed

A

Factor

15
Q
  • Elements that are part of an SSO

- A collection of shared protocols that allow user identities to be managed across organization

A

Federated Identity Management

16
Q
  • Elements that are part of an SSO
  • An identity provider that offers single sign-on, consistency in authorization practices, user management and attribute-exchange practices between providers(issuers) and relying parties (applicaiton)
A

Federation Provider

17
Q
  • Elements that are part of an SSO

- A collection of domains managed by a centralized system

A

Forest

18
Q
  • Elements that are part of an SSO

- An application website, or service responsible for coordinating identities between user and clients

A

Identity Provider (iDP)

19
Q
  • Elements that are part of an SSO

- A ticket-based protocol for authenticaiton built on symmetric-key cryptography

A

Kerberos

20
Q
  • Elements that are part of an SSO
  • A term in computing arhictecture referring to the serving of many users(tenants) from a single instance of an application.
A

Multitenancy

21
Q
  • Elements that are part of an SSO

- An open standard for authorization used by many API and modern appliation

A

OAuth

22
Q
  • Elements that are part of an SSO
  • Another open standard allow third party services to authenticate users without clients needing to collect, store and subsequently become liable for a users login information
A

OpenID or OpenID connect

23
Q
  • Elements that are part of an SSO

- A type of authentication baed on tokens

A

Passwordless

24
Q

-Elements that are part of an SSO

A type of identity provider originating in social services like google, facebook and twitter and so on

A

Web Identity

25
Q

-Elements that are part of an SSO

This is how Active Directory in Microsoft Windows environment organizes user information

A

Windows Identity

26
Q
  • Elements that are part of an SSO
  • A common infrastructure (federated standard) for identity, used by web services and browsers on Windows Identity Foundation
A

WS-Federation

27
Q

Is the process of assigning authenticated subjects permission to carry out specific operation

A

Authorization

28
Q

The three primary authorization models

A
  • Object capability
  • Security Labels
  • ACL
29
Q

Is used programmatically and is based on a combination of an unforgeable reference and an operational message

A

Object capabiltity

30
Q

Are mandatory access controls embedded in object and subject properties. Eg are “confidential”, “secret” and “top secret”.

A

Security labels

31
Q

Are used to determine access based on some combination of specific criteria, such as user ID, group membership, classification, location, address and date

A

ACL

32
Q

An authorization policy should implement two concepts

A
  • Implicit deny

- Need to know

33
Q

Are defined by policy and cannot be modified by that information owner. Are primarily used in secure military and government system that require a higher degree of confidentiality

A

Mandatory Access Control (MAC)

34
Q

Are defined by the owner of the object. are used in commercial operating systems. The object owner builds an ACL that allows or denies access to the object based on the user unique identity

A

Discretionary Access Control (DAC)

35
Q

Are access per missions based on a specific role or function

A

Role-Based Access Control (RBAC)

36
Q

Access is based on criteria that are independent of the user or group account. Rules are determined by the resource owner. Commonly used criteria include source or destination address, geographic location and time of day.

A

Rule-Based access control

37
Q

Is a logical access control that control access to objects by evaluating rule against the attributes of entites

A

Attribute-Based Access Control (ABAC)

38
Q

is the process of auditing and monitoring what a user does once a specific resource is accessed

A

Accounting

39
Q

Includes physical and logical network designs, border devices, communication mechanisms and host security settings

A

Infrastructure access controls

40
Q

Type of access control mechanism method

  • simplest way to implement a DAC based system
  • Can apply to different objects like files or they can also be configured statements (policies) in network infrastructure devices like router,firewalls
A

Access Control List (ACL)

41
Q

Type of access control mechanism method
- This is a collection of objects that a subjects can access, together with the granted permission. They key characteristics is it is a subject centric instead of being object centri

A

Capability Table

42
Q

Type of access control mechanism method
Usually assosicated with a DAC based system. an includes three elements: the subject, the object and the set of permissions.

A

Access control Matrix (ACM)

43
Q
  • Type of access control mechanism method

- Uses the information (Content) within a resource to make an authorization decision

A

Content-dependent access control

44
Q
  • Type of access control mechanism method
  • This type of control uses contextual information to make an access decision , together with other information such as identity of the subject
A

Context-dependent access control

45
Q
  • is an AAA protocol mainly to provide network access services.
  • The authentication and authorization parts are specified in RFC 2865 while accounting part is specified in RFC 2866.
  • Operates on UDP port 1812 for Authorization and Accounting and port 1813 for acounting
A

Remote Authentication Dial-In User Service (RADIUS)

46
Q
  • Proprietary protocol developed by Cisco

- Uses TCP as the transport protocol. Server listen to port 49.

A

Terminal Access Controller Access Control System Plus (TACACS+)

47
Q

is an IEEE standard that is used to implement port-based access control. In simple terms access device will allow traffic on the port only after the device has been authenticated and authorized

A

802.1X

48
Q

Three main role in 802.1X enabled network

A
  • Authentication server
  • Supplicant
  • Authenticator
49
Q

-802.1x protocol
An encapsulation defined in 802.1x thats used to encapsulate EAP packets to be transmitted from the suplicant to the authenticator

A

EAP over LAN (EAPoL)

50
Q
  • 802.1x protocol
  • An authentication protocol that used between the suplicant and authetication server to transmit authentication information
A

Extensible Authentication Protocol (EAP)

51
Q
  • 802.1x protocol

- AAA protocol used for communication between authenticator and authentication server

A

Radius or Diameter

52
Q

802.1X Four Phases

A
  • Session Initiation
  • Session Authenticaiton
  • Session authorization
  • Session Accounting
53
Q

Also called per-user ACL. Is an ACL that can be applied dynamically to a port. Example are ACL pushed down from Cisco ISE

A

dACL (downloadable ACL)

54
Q

Is the Centralized AAA and policy engine solution from Cisco. Integrates with numerous Cisco Products and third party solutions to allow you to maintain visibility of who and what is access your network.

A

Cisco Identity services Engine (Cisco ISE)

55
Q

Provides a cross-platform intergration capability among security monitoring applications, threat detection systems, asset management platforms, network policy system and practically any other IT operations platform

A

Cisco Platform Exchange Grid (pxGrid)

56
Q

Cisco ISE services that allows you to dynamically and detect and classify endpoints connected to the network

A

Cisco ISE Profiling Services

57
Q

Is a solution and architecture that provide the ability to perform network segmentation and enables acecss controls primarily based on the role of the user(and other attributes) requesting access to network

A

Cisco TrustSec

58
Q

Is a feature that allows RADIUS Server to adjust an active client session.

A

Change of Authorization (CoA)

59
Q

global config command to enable Cisco Common Classification Policy language (C3PL) style

A

authentication display new-style

60
Q

Is a structured replacement for freature-specific configurations commands. this concepts allows you to create traffic policies based on events , conditions and actions

A

Cisco Common Classification Policy Language