Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...

More documents

Recommendations

Info

136 CHAPTER 8 Security Standards and Services ■ Securing LDAP: ■ LDAP clients must authenticate to the server before being allowed access to the directory. ■ The LDAP server constitutes a security realm, which is used to authenticate users. ■ Clients (users, computers, or applications) connect to the LDAP server using a distinguished name and authentication credentials, usually a password. ■ It is possible for users to make the connection with limited or no authentication, by using either anonymous or simple authentication. ■ To secure LDAP, anonymous clients should be limited or not used, ensuring that only those with proper credentials are allowed access to the information. ■ Authentication information is sent from the client to the server as part of a “bind” operation, and the connection is later closed using an “unbind” operation. ■ The connection can be configured to use TLS to secure transmissions and protect any data sent between the client and the server. ■ LDAP can also be used over Secure Sockets Layer (SSL), which encrypts LDAP connections. ■ TCP/UDP port 389 and LDAPS uses port 636. PASSWORD AUTHENTICATION PROTOCOL AND CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL ■ ■ PAP PAP was used to authenticate users using usernames and passwords. PAP uses a two-way handshake and transmits the username and password in American Standard Code for Information Interchange (ASCII) without any encryption. PAP was replaced by CHAP to provide more security. CHAP CHAP is a remote access authentication protocol used in conjunction with PPP to provide security and authentication to users of remote resources. CHAP is used to periodically verify the identity of the peer using a three-way handshake. This is done upon initial link establishment and may be repeated anytime after the link has been established. TERMINAL ACCESS CONTROLLER ACCESS CONTROL SYSTEM/TERMINAL ACCESS CONTROLLER ACCESS CONTROL SYSTEM PLUS Terminal access controller access control system (TACACS) is used in authenticating remote users. TACACS has gone through three major “generations”: ■ ■ TACACS TACACS was first developed during the days of Advanced Research Projects Agency Network (ARPANET), and it offers authentication and authorization, but it does not offer any accounting tools. Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ is a Cisco proprietary version of TACACS that is incompatible with previous versions. TACACS+ uses individual databases for each.
Network Access Security 137 TACACS+ was the first revision to offer secure communications between the TACACS+ client and the TACACS+ server. Vulnerabilities and attacks common with TACACS+ are as follows: ■ The encryption used in TACACS+ is based on a shared secret that is rarely changed, so a compromise at any point would ultimately expose future compromises. ■ Birthday attacks The pool of TACACS+ session IDs is not very large; therefore, it is reasonable that two users could have the same session ID. ■ Buffer overflow Like RADIUS, TACACS+ can fall victim to bufferoverflow attacks. ■ Packet sniffing The length of passwords can be easily determined by “sniffing” a network. ■ Lack of integrity checking An attacker can alter accounting records during transmission because the accounting data is not encrypted during transport. EXAM WARNING Make sure you understand the difference between TACACS and TACACS+. The most important thing to remember is that TACACS uses UDP as its transport protocol, whereas TACACS+ uses TCP. Also, TACACS+ is a proprietary version owned by Cisco. MUTUAL AUTHENTICATION Mutual authentication is a process where both the requestor and the target entity must fully identify themselves before communication or access is allowed. DID YOU KNOW Characteristics of mutual authentication are as follows: ■ You can share a secret or you can use a Diffie-Hellman key exchange or certificates. ■ To verify the identities, the Certificate Authority (CA) must be known to both parties, and the public keys for both must be available from the trusted CA. ■ The mutual authentication process is used for access of a user to a network via remote access or authentication via a RADIUS server. ■ 802.1X and EAP provide for a mutual authentication capability. ■ Mutual authentication assists in the mitigation of attacks from MITM types of devices. ■ Any of the following EAP methods provide for mutual authentication: ■ TLS requires that the server supply a certificate and establish that it has possession of the private key. ■ Internet Key Exchange (IKE) requires that the server show possession of a preshared key or private key (this can be considered certificate authentication). ■ GSS_API (Kerberos) requires that the server can demonstrate knowledge of the session key.
Page 2 and 3:
Syngress is an imprint of Elsevier
Page 4 and 5:
xii About the Authors Technical Edi
Page 6 and 7:
2 CHAPTER 1 Network Fundamentals Ne
Page 8 and 9:
4 CHAPTER 1 Network Fundamentals re
Page 10 and 11:
6 CHAPTER 1 Network Fundamentals
Page 12 and 13:
8 CHAPTER 1 Network Fundamentals Wh
Page 14 and 15:
10 CHAPTER 1 Network Fundamentals d
Page 16 and 17:
12 CHAPTER 1 Network Fundamentals
Page 18 and 19:
14 CHAPTER 1 Network Fundamentals T
Page 20 and 21:
16 CHAPTER 1 Network Fundamentals T
Page 22 and 23:
18 CHAPTER 1 Network Fundamentals I
Page 24 and 25:
20 CHAPTER 2 Network Media DID YOU
Page 26 and 27:
22 CHAPTER 2 Network Media Table 2.
Page 28 and 29:
24 CHAPTER 2 Network Media ■ Perf
Page 30 and 31:
26 CHAPTER 2 Network Media Table 2.
Page 32 and 33:
28 CHAPTER 2 Network Media LAN TECH
Page 34 and 35:
30 CHAPTER 2 Network Media CONNECTO
Page 36 and 37:
32 CHAPTER 2 Network Media EXAM WAR
Page 38 and 39:
34 CHAPTER 2 Network Media problems
Page 40 and 41:
36 CHAPTER 2 Network Media electrom
Page 42 and 43:
38 CHAPTER 3 Network Devices Table
Page 44 and 45:
40 CHAPTER 3 Network Devices some o
Page 46 and 47:
42 CHAPTER 3 Network Devices ■
Page 48 and 49:
44 CHAPTER 3 Network Devices ■
Page 50 and 51:
46 CHAPTER 3 Network Devices EXAM W
Page 52 and 53:
48 CHAPTER 3 Network Devices ■ Du
Page 54 and 55:
50 CHAPTER 3 Network Devices Proxy
Page 56 and 57:
52 CHAPTER 3 Network Devices Top Fi
Page 58 and 59:
54 CHAPTER 3 Network Devices the co
Page 60 and 61:
56 CHAPTER 4 Wireless Networking
Page 62 and 63:
Page 64 and 65:
60 CHAPTER 4 Wireless Networking Ta
Page 66 and 67:
62 CHAPTER 4 Wireless Networking WE
Page 68 and 69:
64 CHAPTER 4 Wireless Networking Th
Page 70 and 71:
66 CHAPTER 4 Wireless Networking us
Page 72 and 73:
Page 74 and 75:
70 CHAPTER 4 Wireless Networking si
Page 76 and 77:
72 CHAPTER 4 Wireless Networking co
Page 78 and 79:
74 CHAPTER 5 The OSI Model and Netw
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89: 84 CHAPTER 5 The OSI Model and Netw
Page 94 and 95: 90 CHAPTER 6 TCP/IP and Routing ■
Page 96 and 97: 92 CHAPTER 6 TCP/IP and Routing For
Page 98 and 99: 94 CHAPTER 6 TCP/IP and Routing UND
Page 100 and 101: 96 CHAPTER 6 TCP/IP and Routing ■
Page 102 and 103: 98 CHAPTER 6 TCP/IP and Routing Sub
Page 104 and 105: 100 CHAPTER 6 TCP/IP and Routing co
Page 106 and 107: 102 CHAPTER 6 TCP/IP and Routing
Page 108 and 109: 104 CHAPTER 6 TCP/IP and Routing al
Page 110 and 111: CHAPTER 7 Wide Area Networking 107
Page 112 and 113: WAN Protocols and Properties 109 In
Page 114 and 115: WAN Protocols and Properties 111 Cr
Page 116 and 117: Internet Access Methods 113 EXAM WA
Page 118 and 119: Internet Access Methods 115 Wireles
Page 120 and 121: Internet Access Methods 117 Top Fiv
Page 122 and 123: Internet Access Methods 119 with th
Page 124 and 125: 122 CHAPTER 8 Security Standards an
Page 146 and 147: 144 CHAPTER 9 Network Management
Page 148 and 149: 146 CHAPTER 9 Network Management Wi
Page 150 and 151: 148 CHAPTER 9 Network Management Cr
Page 152 and 153: 150 CHAPTER 9 Network Management
Page 154 and 155: 152 CHAPTER 9 Network Management An
Page 156 and 157: 154 CHAPTER 9 Network Management Lo
Page 158 and 159: 156 CHAPTER 10 Network Troubleshoot
Page 178 and 179: Glossary 177 Access Determines who
Page 180 and 181: Glossary 179 Extensible Authenticat
Page 182 and 183: Glossary 181 Oscilloscope A cable t
Page 184 and 185: Glossary 183 Wireless Network A net
Page 186 and 187: 186 Index Data link layer, 74-75 fu
Page 188 and 189:
188 Index Network troubleshooting,
show all

Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...

Create successful ePaper yourself

Delete template?

Save as template?