Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
136 CHAPTER 8 Security Standards and Services<br />
■<br />
Securing LDAP:<br />
■ LDAP clients must authenticate to the server before being allowed access<br />
to the directory.<br />
■ The LDAP server constitutes a security realm, which is used to authenticate<br />
users.<br />
■ Clients (users, computers, or applications) connect to the LDAP server<br />
using a distinguished name and authentication credentials, usually a<br />
password.<br />
■ It is possible for users to make the connection with limited or no<br />
authentication, by using either anonymous or simple authentication.<br />
■ To secure LDAP, anonymous clients should be limited or not used, ensuring<br />
that only those with proper credentials are allowed access to the<br />
information.<br />
■ Authentication information is sent from the client to the server as part of<br />
a “bind” operation, and the connection is later closed using an “unbind”<br />
operation.<br />
■ The connection can be configured to use TLS to secure transmissions and<br />
protect any data sent between the client and the server.<br />
■ LDAP can also be used over Secure Sockets Layer (SSL), which encrypts<br />
LDAP connections.<br />
■ TCP/UDP port 389 and LDAPS uses port 636.<br />
PASSWORD AUTHENTICATION PROTOCOL AND CHALLENGE HANDSHAKE<br />
AUTHENTICATION PROTOCOL<br />
■<br />
■<br />
PAP PAP was used to authenticate users using usernames and passwords.<br />
PAP uses a two-way handshake and transmits the username and password<br />
in American Standard Code for Information Interchange (ASCII)<br />
without any encryption. PAP was replaced by CHAP to provide more<br />
security.<br />
CHAP CHAP is a remote access authentication protocol used in conjunction<br />
with PPP to provide security and authentication to users of remote<br />
resources. CHAP is used to periodically verify the identity of the peer using<br />
a three-way handshake. This is done upon initial link establishment and<br />
may be repeated anytime after the link has been established.<br />
TERMINAL ACCESS CONTROLLER ACCESS CONTROL SYSTEM/TERMINAL<br />
ACCESS CONTROLLER ACCESS CONTROL SYSTEM PLUS<br />
Terminal access controller access control system (TACACS) is used in authenticating<br />
remote users. TACACS has gone through three major “generations”:<br />
■<br />
■<br />
TACACS TACACS was first developed during the days of Advanced Research<br />
Projects Agency Network (ARPANET), and it offers authentication and<br />
authorization, but it does not offer any accounting tools.<br />
Terminal Access Controller Access-Control System Plus (TACACS+)<br />
TACACS+ is a Cisco proprietary version of TACACS that is incompatible<br />
with previous versions. TACACS+ uses individual databases for each.