5. Access Control and Identity
5.1 Explain the function and purpose of authentication
Remote Authentication Dial-In User Service (RADIUS)
: It provides centralized administration of dial-up,
VPN, and wireless authentication and can be used with EAP and
Terminal Access Controller Access-Control System
(TACACS ) : It is remote authentication protocol used
more often in UNIX networks. In UNIX, the TACACS service is
known as the TACACS daemon. The newer and more commonly used
implementation of TACACS is called TACACS+. It is not backward
compatible with TACACS. TACACS+, and its predecessor XTACACS,
were developed by Cisco. TACACS+ uses inbound port 49. TACACS
and XTACACS are not commonly seen anymore. The two common protocols
used today are RADIUS and TACACS+.
Kerberos : Kerberos is basically an authentication
protocol that uses secret-key cryptography for secure authentication.
In Kerberos, all authentication takes place between clients
and servers. The name Kerberos comes from Greek mythology; it
is the three-headed dog that guarded the entrance to Hades.
It was developed by the Massachusetts Institute of Technology,
Kerberos require that the time sources are approximately
in synchronization (with in 5 minutes) with each other. However,
with recent revisions of Kerberos software, this rule has become
Some of the features of Kerberos authentication system:
Uses client-server based architecture.
Kerberos server, referred to as KDC (Key Distribution
Ceter) implements the Authentication Service (AS) and the
Ticket Granting Service (TGS).
The term "application server" generally refers to Kerberized
programs that clients communicate with using Kerberos tickets
for authentication purpose. For example, the Kerberos telnet
daemon (telnetd) is an example of an application server.
When the user wants to talk to a Kerberized service, he uses
the TGT to talk to the Ticket Granting Service (TGS, also runs
on the KDC). The TGS verifies the user's identity using the
TGT and issues a ticket for the desired service.
The TGT ensures that a user doesn't have to enter in their
password every time they wish to connect to a Kerberized service.
The TGT usually expires after eight hours. If the Ticket Granting
Ticket is compromised, an attacker can only masquerade as a
user until the ticket expires.
The following are the important properties of Kerberos:
LDAP (Lightweight Directory Access Protocol) :
It contains the directory for a network and allows for a single
point of user management of that directory.
5.2 Explain the fundamental concepts
and best practices related to authentication, authorization
and access control
Computer based access controls prescribe not only who or
what process may have access to a given resource, but also the
type of access that is permitted. These controls may be implemented
in the computer system or in external devices. Different types
of access control are:
Mandatory Access Control (MAC) secures
information by assigning sensitivity labels on objects (resources)
and comparing this to the level of sensitivity a subject
(user) is operating at. MAC ensures that all users only
have access to that data for which they have matching or
greater security label (or security clearance). In general,
MAC access control mechanisms are more secure than DAC.
MAC is usually appropriate for extremely secure systems
including multilevel secure military applications or mission
critical data applications.
Discretionary Access Control (DAC):
Discretionary Access Control (DAC) is a means of restricting
access to information based on the identity of users and/or
membership in certain groups. Access decisions are typically
based on the authorizations granted to a user based on the
credentials he presented at the time of authentication (user
name, password, hardware/software token, etc.). In most
typical DAC models, the owner of information or any resource
is able to change its permissions at his discretion. DAC
has the drawback of the administrators not being able to
centrally manage these permissions on files/information
stored on the web server.
Role Based Access Control (RBAC): In
Role-Based Access Control (RBAC), access decisions are based
on an individual's roles and responsibilities within the
organization. For instance, in a corporation, the different
roles of users may include those such as chief executive,
manager, executive, and clerk. Obviously, these members
require different levels of access in order to perform their
functions, but also the types of web transactions and their
allowed context vary greatly depending on the security policy.
In Role Based Access Control, the administrator sets the
roles. Therefore, this type of access control is sometimes
considered as a subset of MAC.
Rule Based Access Control (RBAC): The
access to a resource in Rule Based Access Control is based
a set of rules. ACLs (Access Control Lists) are used for
this type of access control. In Rule Based Access Control,
the administrator sets the rules. Therefore, this type of
access control is sometimes considered as a subset of MAC.