Module 19 Access Control

Question 1

What is the CIA triad?

Answer 1

Confidentiality, Integrity and Availability

Question 2

What is confidentiality?

Answer 2

Only authorized individuals, entities or processes can access sensitive information

Question 3

What is integrity

Answer 3

This refers to the production of data from unauthorized alteration

Question 4

Availability

Answer 4

Authorized users must have uninterrupted access to the network resources and data.

Question 5

What is the zero-trust approach

Answer 5

Never trust, always verify. This contains breaches, reduces risk of an attackers lateral movement throughout a network, and prevents unauthorized access.

Question 6

What is a perimeter?

Answer 6

Any place where access control decisions are required.

Question 7

What are the three pillars of trust?

Answer 7

Zero trust for the workforce, workloads and workplace.

Question 8

What is zero trust for the workforce?

Answer 8

Only right users and secure devices can access applications.

Question 9

What is zero trust for the workloads

Answer 9

This is concerned with applications that are running in the cloud, in data centers, etc. Focuses on secure access when an API is accessing a database within an app.

Question 10

What is zero trust for the workplace

Answer 10

This pillar focuses on secure access for all devices including IoT, that connect to enterprise networks - user endpoints, printers, virtual servers, etc

Question 11

What are the two access control models?

Answer 11

DAC, discretionary access control and mandatory access control (MAC).

Question 12

What is DAC

Answer 12

Discretionary access control, least restrictive, users control access to their data as owners.

Question 13

What is MAC

Answer 13

It assigns security levels to information and enables users with access based on security level clearance.

Question 14

What are the newer models of Access Control?

Answer 14

RBAC, ABAC and TAC

Question 15

What is RBAC

Answer 15

Role-based access control. Different roles, different permissions, more profile driven. Non-discretionary access control.

Question 16

What is ABAC

Answer 16

Attribute based access control. Access based off of objects -

Question 17

What is TAC

Answer 17

Time based access control. Allows access to network resources based on time of day

Question 18

What is RBAC 2

Answer 18

Rule based access control. Network staff specifies set of rules that are associated with access to data or systems.

Question 19

What is AAA?

Answer 19

Network security policy. Specifies how administrators, corporate users, remote users access network resources. A network must be designed to control who is allowed to connect to it.

Question 20

What is authentication?

Answer 20

Authentication can be established using username and password

Question 21

What is authorization?

Answer 21

After user is authenticated, authorization service determines which resources user can access and which operations the user is allow to perform.

Question 22

What is accounting

Answer 22

Accounting records what the user does, what is accessed, amount of time, changes, resources, etc.

Question 23

What are the two Cisco common methods for implementing AAA services?

Answer 23

Local AAA Authentication

Question 24

What is local AAA Authenticaiton

Answer 24

Self-contained authentication, authenticates users against local stored usernames and passwords.

Question 25

What is server-based authentication?

Answer 25

Method authenticates a central AAA server that contains the usernames and passwords for all users. This is better for med-large networks. Example - a router authenticates the username and password using a AAA server like ISE.

Question 26

What is centralized AAA?

Answer 26

More scalable and manageable than local AAA. A centralized AAA system may independently maintain databases for auth, auth and accounting. It can also leverage AD and LDAP for user authen and group membership, while maintaining its own AAA databases,

Question 27

What is the diff between RADIUS AND TACACS+

Answer 27

TACACS+ separates auth, auth and acc. RADIUS does not, combines auth and author. RADIUS (UDP), TACACS+ (TCP), TACACS+ uses CHAP (bi-directional challenge).

Question 28

Name two more differences between TACACS+ and RADIUS?

Answer 28

TACACS+ encrypts entire body of the packet. RADIUS only encrypts the password in the access-request packet from the client to server. More shit is left open for RADIUS. NOT GOOD. But RADIUS does have more log functionality.

Question 29

What are some logging accounts?

Answer 29

Network accounting, EXEC accounting, system accounting, command accounting, resource accounting, etc