Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
59 Cards in this Set
- Front
- Back
Federations |
a collection of computer networks that agree on standards of operation such as a security standard. |
|
federated identity |
a means of linking a user's identity with their privileges in a manner that can be used across business boundaries (e.g. Microsoft Passport, Google) |
|
Transitive access |
A trusts B. If B trusts C, then A trusts C. |
|
transitive trusts |
a type of relationship that can exist between domains. in all versions of Active Directory, the default is that all domains in a forest trust each other with 2-way, transitive trust relationships. |
|
Authentication Protocols examples
|
PAP ( password authentication protocol)- sends in plain text. |
|
tools to retrieve password with physical access
|
ophcrack |
|
password expiration
|
90 days acceptable |
|
minimum password change
|
2 days
|
|
password history
|
24 months recommended |
|
account lockout duration
|
duration before account is unlocked |
|
account lockout threshold
|
determines incorrect attempts before account is locked. 0- 999 |
|
reset account lockout counter after
|
minutes to wait between counting failed login attempts. 0-99,999 |
|
generic account
|
any account that is shared by multiple users
|
|
privilege assignment
|
group or user assigned. |
|
SLIP ( serial line Internet protocol)
|
designed to connect Unix systems in dial up environments. |
|
remote authentication types
|
TACACS
TACACS+ XTACACS RADIUS |
|
PPP ( point to point protocol)
|
doesn't provide data security |
|
how does PPP work?
|
by encapsulating the network traffic in NCP. authentication is done via LCP. which allows remote users to access the network. not suitable for WAN connections. |
|
identification |
finding out who someone is |
|
authentication |
mechanism of verifying identification |
|
5 factors of authentication |
something you know (pw/pin) something you have (id, smart card, token) something you are (biometrics) something you do (action) somewhere you are (geolocation) |
|
out-of-band authentication |
system uses public records to question and then authenticate you. e.g. query specific entries in a user's credit report |
|
Mutual authentication |
when 2 or more parties authenticate each other |
|
tokens |
security tokens are similar to certificates- used to identify and authenticate-destroyed at end of session |
|
most common tunneling protocols |
PPTP (point-to-point tunneling protocol) L2F (layer 2 forwarding) L2TP (layer 2 tunneling protocol) SSH (secure shell)
|
|
PPTP (point-to-point tunneling protocol) |
encapsulation in single point environment encapsulates and encrypts PPP packets done via clear text channel is encrypted after negotiation developed my Microsoft uses TCP 1723 |
|
L2F (layer 2 forwarding) |
created by Cisco primarily for dial up connections shouldn't be used over WANs provides authentication but not encryption uses TCP 1701 |
|
L2TP (layer 2 tunneling protocol)
|
developed by Microsoft and Cisco works over IPX, SNA, and IP can be used as a bridge no data security- no encryption for security used with IPSec uses UDP 1701 |
|
SSH ( secure shell) |
originally designed for Unix uses encryption use TCP 22 |
|
IPSec (internet protocol security) |
not a tunneling protocol, but used in conjenction with primarily used for LAN-to-LAN connections but can be used with remote connections provides secure authentication and encryption of data and headers 2 modes: tunneling (data/payload and headers encrypted), transport (only payload encrypted) add onto IP4, built into IP6 |
|
RADIUS ( Remote Authentication Dial-In User Service) |
allows authentication of remote and other network connections IETF standard provides single source for authentication
|
|
TACACS (Terminal Access Controller Access-Control System) |
alternative to RADIUS current method is TACACS+ XTACACS- combines authentication and authorization with logging to enable auditing |
|
VLAN (virtual local area network) |
allows you to create groups of users and systems and segment them on the network. used to contain network traffic to a certain area increases security by allowing users with similiar data sensitivity levels to be segmented together. |
|
SAML( Security Assertion Markup Language) |
open standard based on XML used for authentication and authorization data. current version SAML v2.0 |
|
Authentication Services |
LDAP Kerberos IAS (internet authentication service) CAS (central authentication service) |
|
LDAP (Lightweight directory access protocol) |
standardized directory access protocol that allow directories to be queried (X.500 based directories) main protocol used by Active Directory works on port 389 uses commas between names LDAPS (secure LDAP) encrypted with SSL/TLS port 636 |
|
Kerberos |
designed by MIT allows for single sign on to a distributed network uses a KDC (key distribution center) authenticates principal and provides it with a ticket the KDC can be a single point of failure |
|
TGT (ticket granting ticket) |
encrypted time limit of 10hrs list user privilege- works like a token |
|
Primary methods of access control |
MAC -mandatory access control DAC- discretionary access control RBAC - role-based access control RBAC - rule-basedfaccess control |
|
MAC (mandatory access control) |
all access is predefined- static relations inflexible administrators make changes considered most secure |
|
DAC (discretionary access control) |
flexible uses ACLs to map user permissions to a resource owner of resource controls privileges |
|
RBAC (role based access control) |
based upon established roles group based control/permissions |
|
RBAC (rule based access control) |
uses settings in pre-configured security policies often used with role based access control easiest to implement with ACLs |
|
Smart Cards |
2 types : CAC (common access card) & PIV (personal identity verification)
|
|
CAC (common access card) |
issued by DoD as general id/authentication card picture on front, back has magnetic strip and barcode |
|
PIV (personal identity verification) |
for federal employees required to physical/logical access to government resources |
|
implicit deny |
implied at end of each access control list. means if the above hasn't been explicitly granted then access is denied. |
|
Firewall rules |
act like ACLs 3 possible actions: block, allow, allow only if secure |
|
port security |
works at layer 2 of OSI model allows only certain MAc addresses to access port includes: mac limiting & filtering, 802.1x (port authentication), disable unused ports |
|
flood guards |
protection feature for firewalls that alloows the admin to tweak tolerance for unanswered login attacks. mitigates DoS attacks |
|
loop protection |
prevents broadcast loops choice between disabling broadcast forwarding and protect against duplicate ARP requests |
|
STP (spanning tree protocol) |
intended to ensure loop-free bridged Ethernet LANs. ensure only one active path exists between 2 stations works at data link layer |
|
network bridging |
device has more that 1 network adapter card installed and a user jumps to the other network |
|
Log analysis |
store logs for baselining log analysis program - ManageEngine |
|
Trusted OS (trusted operating system) |
any Os that meets the governments requirments for security |
|
CC (common criteria) |
the most common set of standards for security joint effort between Canada, France, Germany, Netherlands, UK and USA the evaluation criteria is broken down into 7 Evaluation Assurance Levels (EALs) |
|
Evaluation Assurance Levels (EALs) |
EAL1 - system operates correctly, security threats not serious EAL2 - developers uses good design practices, security not a high priority EAL3 - conscientious development to provie moderate security EAL4 - positive security engineering, commercial development practices-benchmark for commercial EAL5 - security engineering implemented since early design phase, high levels of security assurance EAL6 -high levels of specialized security engineering assurance, highly secure from pen attackers EAL 7- requires extensive testing, measurement and complete independent testing of every component replaced TCSEC and ITSEC |
|
configure router securely |
1. change default password 2. walk through advanced setting 3. keep firmware upgraded |
|
password types for cisco routers |
Type 7- weak encryption MD5 - encryption uses 1 way hash, configured via enable secret |