Authentication Flashcards
(32 cards)
Identity and Access Management
security protocol that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets such as network, OS and applications.
Kerberos
Kerberos is a network authentication protocol designed to allow computers to verify the identity of users and services securely over an untrusted network (like the internet or a local network).
Kerberos is a widely used protocol for implementing SSO, especially in Active Directory (AD) environments.
Single Sign-On
Single Sign-On (SSO) is an authentication method that lets users log in once and gain access to multiple applications or services without needing to log in again.
Three components of Kerberos
- Client – Requests access to a service
- Server – Provides the requested service
- KDC (Key Distribution Center) – Verifies identity and issues tickets
KDC Components
- Authentication Service (AS)
- Verifies initial login requests
- Issues the Ticket Granting Ticket (TGT)
- The user (or principal) is now authenticated
- Ticket Granting Service (TGS)
- Receives the TGT from the client
- Issues a Service Ticket, which allows the user to access a specific resource (like a file share or email server)
Kerberos Authentication flow
- User logs in → Sends request to KDC (AS)
- KDC validates → Sends back a TGT
- User wants service → Sends TGT to TGS
- TGS validates TGT → Issues Service Ticket
- User presents Service Ticket → Access granted to the application
Public Key Infrastructure (PKI)
Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
Remote Authentication Dial-in User Service (RADIUS)
AAA protocol used to manage remote and wireless authentication infrastructures.
Terminal Access Controller Access Control System (TACACS+)
a protocol used for authentication, authorization, and accounting (AAA) in network devices like routers, switches, and firewalls. It is commonly used by organizations to manage who can access their devices and what actions they can perform.
Access Control Models
- Discretionary Access Control (DAC)
- Ownership-based: Every resource has an owner.
- The owner has full control over it and can assign permissions via Access Control Lists (ACLs).
- Example: If you create a file, you can give or deny access to other users. - Role-Based Access Control (RBAC)
- Task/role-based: Permissions are grouped into roles based on job functions.
- Users (called principals) are assigned to roles, which grant them access indirectly.
- Only system owners can assign or change roles—users can’t assign themselves permissions.
- More secure and controlled than DAC (nondiscretionary). - Security Groups
- A hybrid concept used in systems like Windows.
- Users are assigned to security group accounts, which have permissions.
- Users gain rights by group membership, not by direct assignment.
- Not the same as RBAC:
Privileged Access Management (PAM)
The practice of securing and controlling the use of these accounts to reduce the risk of abuse or compromise
Core principles of PAM
Least privilege: Only give users the access they absolutely need to do their job.
Separation of Duties: Divide critical responsibilities among different people.
Authorization Creep
when a user gradually accumulates more privileges over time
Separation of Duties
Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
Lightweight Directory Access protocol (LDAP)
Network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
Methods to make LDAP secure
- Simple bind: Sends DN + Password (insecure)
- Simple Authentication and Security Layer (SASL): Framework that supports secure mechanisms
- LDAP over TLS/SSL: Uses TLS encryption with server certificate.
Defense in Depth
A modern security approach using multiple layered defenses across the network.
Network Access Control
Security solution that authenticates and controls which devices can access a network.
Sinkhole VLAN
A type of VLAN that traps and isolates unwanted traffic.
MAC Filtering
Limits which devices can access the network based on their MAC address.
MAC Filtering implementation
- Static MAC filtering: Manually assign valid MAC addresses.
- Sticky MACs: Switch learns and remembers the first connected MAC(s).
- MAC address limit: Restricts how many devices can use the port.
Extensible Authentication Protocol (EAP)
A framework that supports different authentication methods like passwords, digital certificates, and smart cards.
IEEE802.1X (AKA Port-based NAC)
Works with EAP to enforce pre-authentication. It is applied before Ethernet switch ports, WAPs, VPN gateways.
Dynamic ARP Inspection (DAI)
Prevents ARP poisoning and on-path attacks by inspecting the ARP packets and checking against an IP:MAC databse.
