Welcome back. The CyberRays Video Siris on Company A Security Plus 5 +01 Certification and Exam.
I'm your instructor, Round Warner.
In this video, we'll continue discussing Domain four Identity and access management.
The requirements for section 4.2 are given a scenario. Install and configure Identity and access service is
this video discusses the various identity and access service is and explores how they're used.
The topics in this video includes legacy identity and authentication systems like NTL, M and PAP.
Service is that used tickets such as Curb Rose
Service's? They use challenge mechanisms such as challenge hands, handshake, authentication protocol or CHAP
Remote access. Service is such a radius,
and Federated Service is such as, Oh, off
you can see some of the other service's will discuss and you need to be familiar with on your screen.
Our first topic is on directories and directory service protocols.
Consider a directory to be a data store similar to a database.
They are repositories of an organization's network, resources and users.
Most follow a hierarchical database format based on X 50 500 Standard.
A directory service manages the entities entries and data in the directory and enables access, control and identity management. There are two primary types of directors you should be familiar with. Microsoft Active Directory and L Dap
L BaP or Lightweight directory Access Protocol provides access to directory service is
including those used by Microsoft. A. D L Dap was created as a lightweight alternative to earlier implementations of the X 500 directory access protocol
and communicates over Port 3 89
It's main purpose is the query of the L DAP User database, which is a pared down X 500 based director
on the screen shows. The example of an L DAP hierarchy
l'd up is used for query, so l That process is simple. The client sends on authentication request to the L DAP server. The server queries the database to determine whether the client can authenticate
after authenticating the client requests. Access to resource is
the server again queries. A database to determine whether the client has permissions
for authorization to access the requested resource is
in Microsoft Environment. L DAP is used to read from and right from
by default. Held up traffic is transmitted unsecured and is subject to the following vulnerabilities
buffer overflow vulnerabilities that could be used to enact arbitrary commands on the Server
four match during vulnerabilities may result in unauthorized access
to commands on the L'd observer and improperly formed request.
It's recommended that S S l T L s B usedto in crept the network traffic and that held up the three bind request should use S A S L.
You need to familiarize yourself with all of the concepts associated with L dap as it's used fundamentally throughout the business world, and you very well may see a question on it on your security plus exam.
Kerberos is an authentication protocol that has been around for decades and is an open standard.
A symmetric key means that both the client and the server must agree and use a single key in the encryption and decryption process.
We'll talk more about symmetric keys later on in section on cryptography,
Kerberos authenticates using a key distribution center or K D. C. To orchestrate the process,
the KGC authenticates the principle which could be the user program or system
and provides it with a ticket.
After this ticket is issued, it could be used to authenticate against other principles.
The idea of transit of trust.
This process occurs automatically when another principal performs a request or service.
Short life spans of tickets
and the use of third party systems and encryption provide layers of security for Kerberos.
For the security, plus example, be familiar with the different terms associated with Kerberos.
Let's dive into small specifics regarding Curb Arras.
When using Curb Rose, the user authenticates to the K D. C and is given a ticket granting ticket. C g t.
This ticket is encrypted and has a time limit of up to 10 hours.
The ticket lists the privileges of that user
Each time the user wishes to access some resource on the network. The user's computer presents to the K t C,
the T G T to get granting ticket.
The T G T then sends the user's computer a service ticket,
granting the user access to that service.
Service tickets are usually only good for five minutes.
The user's computer then sends the service ticket to the server.
The users trying to access
as a final authentication check. That server then communicates with the cheap t g t to confirm invalidate the service ticket.
The image on this light walks you through the curb arose process. The request for tickets and how the servers communicate.
Once again, be familiar with the terms and this process. Even though this image shows Windows 2003 the process is fundamentally the same through all Windows servers.
As mentioned earlier, Curb Rose has been around for a very long time and has proven to be a robust and efficient process.
Two prominent security protocols used to control access and networks are tak X plus
We'll start by discussing radius remote authentication, dialling user service. Don't let the word dyle and confuse you still use Today.
It's used for remote access control and provides authentication and access within the enterprise network using UDP transport to a central network access server.
In turn, this provides credentials for client access to re sources within the extended enterprise.
As an example, protected network segment might implement a VPN remote access server, Gateway Connection Toe to allow an authenticated external service request to reach a protected server by communicating with a radius server, requesting account must provide credentials to the radius server,
which then authorizes the access request
the Radius service come forward authentication and authorization request between authentication domains called realms
and thus conf a Sylhet eight cross enterprise authentication,
often part of a single sign on solution
Tak X Plus or Terminal Access Control Access Control system. Plus is a protocol that was developed by Cisco
and released as an open standard,
although it's derived from Tak Axe Attack X plus, a separate protocol that handles authentication, authorization and accounting. Triple A
Tak X plus is similar to Radius but uses TCP as the transport method. Keep that in mind. Radius UDP tak axe TCP
tactics uses Port 49 as the default Port
Tak X plus takes a client server model approach. The client first queries the server. The client is typically a router or a firewall used to determine whether a user has proper authorization to access the network.
The server sends back a reply stating whether the user past authentication,
both tactics plus and radius contain an accounting function To be able to track who's doing what across your network. Tak X Plus has several advantages over Radius
won t, c p over UDP connection versus connection with Tak X plus encrypts the entire body of the A packet rather than just authentication,
then pack X plus controls the authorization of router commands.
Consider an example of when tactics plus should be used instead of radius.
One last note on Tak X plus it should only be running on its own server should not be running with other applications to minimize the chance of compromising the entire user. Password database.
Password Authentication Protocol, or PAP is a simple authentication protocol in which the user name and password are sent to a remote access server. In plain text.
There's no protection for playback or trial and error attacks, so anyone sniffing your network could see the credentials flying on the network and clear taxed.
This is a legacy protocol that should no longer be used.
Challenge, Handshake, authentication protocol or chap could be used to provide on demand authentication within an ongoing data transmission.
It uses one way hashing function that first involves the service. Requesting a chat response from the client
client creates the hash value
that is derived using MD five
and sends this value to the service, which then calculates the expected value itself.
Chap is an improvement over Pap because it hash is the password but still sends the user name in clear text.
Chap is also considered a legacy pope protocol
that should be replaced with a more modern one for authentication,
Microsoft Chap or M s. Jap is an encrypted authentication mechanism that is similar to chap.
There's version one in version two.
Version one is a one way authentication well, version to provide stronger security because he uses new string each time the authentication is challenged.
An MX chap v to the client and server mutually authenticate and used to encryption keys.
One for sending the data and one for receiving the data.
All three Pap chap and Emma's chap. Our authentication protocols intended to be used primarily by hosts and routers.
All of these are older, less secure protocols.
If M s chap is required, you want to use the protected extensible authentication protocol or peep or L to tp layer to transfer transport protocol or I P sec
Peep provides T l s S L tunnel
protects that authentication traffic
and it uses a certificate on the authentication server. So providing that extra round of security to go with the authentication data.
Another old legacy authentication protocol you should be aware of is NT lm anti land manager.
It requires active directory and relies on Microsoft Windows user credentials in the authentication process. It has now been replaced by Curb Rose, and it's similar to Chap er, M s chap. All NTL versions are relatively weak with their cryptographic scheme
and lacks multi factor authentication support. So again, NTL M should be phased out.
Our next topic is on Federated Service's Remember the Term Federation from a previous session.
Technologies used for Federated Identity include security assertion, Markup language or samel
open I d. Simple Web tokens and Jason Webb Tokens
Thes technologies. You secure tokens and secure and token. Authentication is a better approach to authentication because it's stateless.
Instead of authenticating with a user name and password for each resource the user authenticate wants with the username password, then receives a secure token.
The token is then used for further authentication and expires after a set amount of time.
This method prevent storage of user information on the server or in a session.
We'll discuss each of these technologies individually.
The main purpose of Samel is single. Sign on for enterprise users.
You should recall the concept of SSO talked about in an earlier session. The sample framework defines three main functions.
The user seeking to verify his or her identity is called the principal.
Yeah, the entity that can verify the identity of the end user is the identity provider
and the entity that uses the identity provider to verify the identity of the end user. Is the service provider
be familiar with the terms principal identity provider and service provider? The main difference between Samel other identity mechanisms is that Samuel relies on assertions about identities.
The Weakness and Sam Sam Identity Chain is the integrity of the user's shibboleth is a sandal based open source. Federated Identity Solution that provides single sign on capabilities and Federated Service is
oh, author. Open authentication is a framework used for Internet token based authorization.
The main purpose of Owen is a P I authorization between applications. You want to keep that in mind.
Two versions are used. The most current version to dato
a lot to oh defines four rolls resource owner, authorization owner, resource server and the client.
A lot to Toto obtained authorisation by the user via an access token and then uses that token to make user requests you off to. Oh, also used Jason and http Protocols
because it only provides authorization. Service is it does not support secure methods such as client verification, encryption or channel binding.
It relies on underlying technology's implementations and other protocols to protect the exchange of data. Therefore, kill us is recommended.
Open i D is used for consumer. Single sign on
open Eyed Connect is an identity layer based on Owen Tuo specifications that is used for Consumer. Single Sign on
Open I. D Connect is similar to the open standard Open I D sponsored by Facebook. Microsoft, Google Papal Ping Identity, Symantec on Yahoo.
Something else to remember it open i. D. Connect uses an idee token structure that contains an authorization servers claims about the authentication of the end user By A J. Sahn Web Toke it. Jason Webb Token is also known as the J. W. T.
A. J W T is used to provide it.
A J W. T. Is used to prove that the scent data was created by an authentic source.
It uses a concept called Flows to determine how the idee token and access token are returned to the client
in this video have covered numerous topics regarding authentication and authorization protocols, and service is
let's practice with a quiz question.
Question one. This access control protocol for use on networks uses UDP Transport to send authentication information to a centralized server.
Chap. Kerberos Open I. D V. Two or radius.
The answer is radius. Remember Radius uses UDP Tak X plus uses TCP
This protocol uses a key distribution center or K D. C. To orchestrate the authentication process.
be familiar with all the terms associated with curb auras.
If you have access to the Security plus labs, there's an exercise on configuring radius.
We'll discuss this in a separate video.
This concludes the video for section 4.2.
Given a scenario, installing configure identity and access service is
be familiar with all of the service is discussed in this video.
Refer to your test material for more information about these topics.