Implement authentication and authorization solutions

Authentication and Authorization

These are protocols which are used authenticate systems such as devices and users across a network.

This protocol uses a 3-way handshake.
The user makes an authentication request to the server.
The server sends a challenge back to the user.
The user takes their password to encrypt the challenge.
The challenge is then sent back to the server.
The server will validate the response and determine whether the user is authorized.
The user password never goes across the network.
Commonly used in non-Microsoft environments.
MS-CHAP - Microsoft CHAP implementation
MS-CHAPv2 - Provides mutual authentication between 2 systems.

This is actual a framework which handles authentication between systems across a network.
It is commonly implemented on IEEE 802.11 wireless networks.
EAP-FAST - EAP Flexible Authentication via Secure Tunneling.
EAP-TLS - EAP Transport Layer Security.
EAP-TTLS - EAP Tunnel Transport Layer Security
LEAP - Lightweight EAP
PEAP - Protected EAP

This is a standard which outlines how to implement network access control.
Provides port-based authentication.
Contains 3 components, supplicant (user system), authenticator (network device) and the authentication server.
Can be implemented on both wired and wireless networks.

An open standard authentication protocol and mechanism.
Uses UDP ports 1812 (authentication) and 1813 (accounting).
Uses UDP ports 1645 and 1646 on older legacy systems.
RADIUS only encrypts the password.
RADIUS is used to centralized AAA services on a network.
Components: Access client (user device), RADIUS client (network device) and the RADIUS server.

This an open source authentication protocol.
Provides replay protection against replay attacks.
Time-based authentication system.
Kerberos has been implementing as part of Active Directory (AD) in a Microsoft Windows domain.
Component: Authentication server, Key distribution center, Ticket-granting ticket and Ticket-granting service.

A user sends an Authentication Request to the Kerberos Server.
The Kerberos Server sends a Ticket-granting Ticket (TGT) to the user.
The TGT is stored on the user device and has a timestamp associated with it.
Anytime the user has to access a network-based resource, the user device will send the TGT back to server to verify the user can access the resource within the specific resource.
The Kerberos Server will issue a Session Key to the user.
The user will send the Session Key to the resource server.
The Resource Server does not directly communicate with the Kerberos server.

Access controls are used to ensure access is provided to only those who is authorized to access a resource.
Access control is also used to reduce the risk on a system and network.

A subject (user) will be assigned an Access Level (security clearance) to access an Object (Sensitivity Label).

This model is commonly used on many operating system.
The owner of a file or data can determine who has access to the file and what privileges are assigned to a user.
This is a very flexible model as the access control is managed by the owner of the file or object.

This type of access control is based on your job role within an organization.
This model ensures a person with a certain job roles has all the privileges he or she needs to perform their job efficiently.
Such access controls can be creating using the Group Policy Objects (GPOs) in a Windows Server environment.

These rules are usually created by an administrator on a system such as a Firewall appliance on a network.
The rules may be designed to filter traffic between a source and destination network or even filter various traffic types.

This type of access control is concerned to be the next generation of authorization access control model.
ABAC uses a combination of attributes such as time of day and your location via IP address to determine your access level.

Back

Google Sites

Report abuse