Authentication Flashcards

(32 cards)

1
Q

Identity and Access Management

A

security protocol that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets such as network, OS and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Kerberos

A

Kerberos is a network authentication protocol designed to allow computers to verify the identity of users and services securely over an untrusted network (like the internet or a local network).

Kerberos is a widely used protocol for implementing SSO, especially in Active Directory (AD) environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Single Sign-On

A

Single Sign-On (SSO) is an authentication method that lets users log in once and gain access to multiple applications or services without needing to log in again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Three components of Kerberos

A
  1. Client – Requests access to a service
  2. Server – Provides the requested service
  3. KDC (Key Distribution Center) – Verifies identity and issues tickets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

KDC Components

A
  1. Authentication Service (AS)
    • Verifies initial login requests
    • Issues the Ticket Granting Ticket (TGT)
    • The user (or principal) is now authenticated
  2. Ticket Granting Service (TGS)
    • Receives the TGT from the client
    • Issues a Service Ticket, which allows the user to access a specific resource (like a file share or email server)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Kerberos Authentication flow

A
  1. User logs in → Sends request to KDC (AS)
  2. KDC validates → Sends back a TGT
  3. User wants service → Sends TGT to TGS
  4. TGS validates TGT → Issues Service Ticket
  5. User presents Service Ticket → Access granted to the application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Public Key Infrastructure (PKI)

A

Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Remote Authentication Dial-in User Service (RADIUS)

A

AAA protocol used to manage remote and wireless authentication infrastructures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Terminal Access Controller Access Control System (TACACS+)

A

a protocol used for authentication, authorization, and accounting (AAA) in network devices like routers, switches, and firewalls. It is commonly used by organizations to manage who can access their devices and what actions they can perform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access Control Models

A
  1. Discretionary Access Control (DAC)
    - Ownership-based: Every resource has an owner.
    - The owner has full control over it and can assign permissions via Access Control Lists (ACLs).
    - Example: If you create a file, you can give or deny access to other users.
  2. Role-Based Access Control (RBAC)
    - Task/role-based: Permissions are grouped into roles based on job functions.
    - Users (called principals) are assigned to roles, which grant them access indirectly.
    - Only system owners can assign or change roles—users can’t assign themselves permissions.
    - More secure and controlled than DAC (nondiscretionary).
  3. Security Groups
    - A hybrid concept used in systems like Windows.
    - Users are assigned to security group accounts, which have permissions.
    - Users gain rights by group membership, not by direct assignment.
    - Not the same as RBAC:
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Privileged Access Management (PAM)

A

The practice of securing and controlling the use of these accounts to reduce the risk of abuse or compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Core principles of PAM

A

Least privilege: Only give users the access they absolutely need to do their job.
Separation of Duties: Divide critical responsibilities among different people.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Authorization Creep

A

when a user gradually accumulates more privileges over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Separation of Duties

A

Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Lightweight Directory Access protocol (LDAP)

A

Network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Methods to make LDAP secure

A
  1. Simple bind: Sends DN + Password (insecure)
  2. Simple Authentication and Security Layer (SASL): Framework that supports secure mechanisms
  3. LDAP over TLS/SSL: Uses TLS encryption with server certificate.
17
Q

Defense in Depth

A

A modern security approach using multiple layered defenses across the network.

18
Q

Network Access Control

A

Security solution that authenticates and controls which devices can access a network.

19
Q

Sinkhole VLAN

A

A type of VLAN that traps and isolates unwanted traffic.

20
Q

MAC Filtering

A

Limits which devices can access the network based on their MAC address.

21
Q

MAC Filtering implementation

A
  1. Static MAC filtering: Manually assign valid MAC addresses.
  2. Sticky MACs: Switch learns and remembers the first connected MAC(s).
  3. MAC address limit: Restricts how many devices can use the port.
22
Q

Extensible Authentication Protocol (EAP)

A

A framework that supports different authentication methods like passwords, digital certificates, and smart cards.

23
Q

IEEE802.1X (AKA Port-based NAC)

A

Works with EAP to enforce pre-authentication. It is applied before Ethernet switch ports, WAPs, VPN gateways.

24
Q

Dynamic ARP Inspection (DAI)

A

Prevents ARP poisoning and on-path attacks by inspecting the ARP packets and checking against an IP:MAC databse.

25
DHCP Snooping
Detects MAC spoofing and blocks rogue DHCP servers by monitoring DHCP traffic on access ports. Only trusted ports can send DHCP offers.
26
IPv6 Protections:
Neighbor Discovery Inspection: Validates neighbor discovery messages. Router Advertisement Guard: Blocks unauthorized router advertisement messages.
27
VLAN Security
1, Double tagging mitigation: avoid using default VLAN ID for user access. 2. Trunk Protection: Allow specific ports to act as trunks and prevent auto-enabling trunking.
28
Spanning Tree protection
Attackers can try to become the root bridge to intercept and reroute traffic. Bridge Protocol Data Unit Guard can be used to block ports if unexpected BPDUs are received. Root Guard ensures designated ports don't accept new root bridge elections.
29
Port Mirroring
A network switch feature that allows traffic on one or more ports to be copied and sent to another port for analysis. It's essential for network monitoring, troubleshooting, and security auditing.
30
Unicast Traffic
Usually is sent from one device to another.
31
Firewall ACL (Access Control List)
Rules used to control traffic between network segments. These segments are often based on VLANs or subnets and traffic between them must be routed or filtered.
32