Card Set Information

2014-12-02 15:19:18

Chapter Seven for Comptia
Show Answers:

  1. What is authentication?
    Verifying that user is who he says he is and has credentials to access these resources. The most common form is the user name and password.
  2. What are the authentication components?
    • -Something the user has in his possession (Id badge, smart card)
    • -Something the user knows (username, password, PIN)
    • -Something that is a unique physical aspect of the user (biometrics, fingerprint)
    • -Something you do (a unique swipe pattern, often used on mobile devices)
    • -Somewhere you are (location-based authentication, using GPS or another geolocation device)
  3. Refers to requiring only on factor (such as a password) to authenticate a user. The system compares the password for the account with the database of known user names and passwords and then authenticates the user if they match. This is the simplest but weakest form of authentication because users' passwords tend to be weak.
    Single Factor Authentication
  4. Typically combines two single-factor authentication types, such as something the user knows and something the user possesses. For example, most automated teller machines (ATM) banking transactions require the user to insert a physical banking card into the machine and then types a PIN, which is matched with the electronic information contained on the card's magnetic strip.
    Two-Factor Authentication
  5. Is the strongest form of user authentication and involves a combination of physical items, such as a smartcard, token, or biometric factor, and nonphysical items, such as passwords, passphrases, and PINs.
    Multifactor Authentication
  6. Where the user has to be authenticated only once on the network to access the resources on it.
    Single sign-on

    This type of centralized administration is a much more efficient way for a network administrator to control access to the network. User account policy templates can be created and used network-wide to remove the need to configure each user's account settings individually, except for a unique login and password.
  7. Is an important network feature for companies and organizations that require users to access network resources from anywhere offsite.
    Remote access
  8. What are the four remote access methods?
    • - Dial-Up
    • -ISDN
    • -Cable Modem
    • -DSL
  9. For many years, the most common way of accessing remote services to a corporate LAN or the Internet was through the use of this connection using a modem over a common phone line. A modem is used to convert the digital signals of a computer to analog for transmission over an analog phone line.
  10. Was created to replace the use of common phone lines for network communications. Unlike the modem, this type of adapter doesn't convert signals from digital to analog and back again; instead, it connects digitally between the two adapters over the line.
    ISDN - Integrated Services Digital Network
  11. What are the two ISDN channels
    • 1. B-Channels
    • 2. D-Channels
  12. These channels transmit data, such as voice or computer data communications. They can be used individually or combined to create higher bandwidth.
  13. These channels transmit control and signal information for managing the transmission of data.
  14. Are one of the most popular ways of connecting home computers to the internet. They do not operate like a typical modem, which translate signals between analog and digital but enables you to connect to your home's coaxial cable lines, which are connected by common Ethernet cable to your computer's network interface card (NIC)
    Cable Modem
  15. Is another popular method of connecting a home computer or small business to the internet. It runs over common copper telephone lines but requires the connection to be in close proximity to a phone company's access point. Uses a phone line to connect to the internet but differs from a dial-up in that it doesn't require the modulating the signal from digital to analog but uses the entire bandwidth of the phone line for digital transmission.
  16. Are used to provide access to a machine from an external client system. The communication that connects the two systems can be anything from a dial-up to a direct cable connection
    Remote Access Applications.
  17. What are the three authentication and encryption methods for Remote Access Applications?
    • 1. Telnet
    • 2. SSH
    • 3.VPN
  18. Allows you to connect remotely to a system and execute commands as if you were on the console of the system. Only provides basic authentication security, consisting of a user name and password on the remote system. Are not encrypted but are sent in clear text and can be discovered by a hacker monitoring network traffic.
  19. is a secure form of remote access to a remote computer. Like Telnet, it allows you to connect to a remote system and perform commands as if they remote user were on the console of the system. But it uses a secure, encrypted tunnel to the remote system.
    • SSH
    • During the initial SSH connection, a special session key is exchanged during the connection negotiations and authentication. This creates an encrypted secure channel for the communications between the client and the server.
  20. Is a secure and private connection over a public network. The connection between the client and the remote network is provided by an encrypted tunnel between the two points. Creates a virtual connection to the access server on the corporate network. After the connection is negotiated, the client must authenticate itself using a user name and password before the It will grant access to the corporate network.
    • VPN
    • A VPN is only as secure as the tunneling and encryption protocols used on the connection.
  21. These protocols must be able to travel through different networks and different physical infrastructures. A home user who wants to connect their computer to the internet must use an analog modem, cable modem, or DSL line to connect with an Internet service provider (ISP).
    Remote Access Protocols
  22. What are the two types of Remote Access Protocols?
    • 1. SLIP (Serial Line Internet Protocol)
    • 2. PPP (Point-to-Point Protocol)
  23. Is one of the earliest Internet Protocols used for encapsulating IP packets for transmission over serial communications, such as a phone line or serial cable.
    SLIP (Serial Line Internet Protocol)
  24. What are the advantages and disadvantages to SLIP?
    It is able to work with most types of protocols, such as Internet Protocol (IP), Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) and NetBIOS Extended User Interface (NetBEUI), and does not require a static network address; however, SLIP is considered difficult to configure, inefficient, and unreliable. It isn't used much these days and has been replaced by PPP.
  25. Is used to enable a connection between two computers using a serial interface, usually over a phone line.  PPP is the most popular protocol used by an ISP to enable users to dial into the Internet network from home using a modem attached to a home computer. The main
    PPP (Point-to-Point Protocol)
  26. Used by VPNs to tunnel network data over a public network and to provide encryption to protect transmitted data.
    VPN Protocols
  27. What are the three types of VPN Protocols?
    • 1. PPTP (Point-to-Point Tunneling Protocol)
    • 2. L2TP (Layer 2 Tunneling Protocol)
    • 3 IPSec
  28. Is a Microsoft implementation of secure communications over a VPN. Because it is an extension of PPP, it has become one of the most widely used tunneling protocols and allows network packets to be encapsulated within PPP communications for transfer over another network, such as the Internet.
    PPTP (Point-to-Point Tunneling Protocol)
  29. Combines the best features of  PPTP witht he Layer 2 Forward (L2F) protocol created by Cisco Systems. Is the most often used with other media technologies, such as Frame Relay.
    L2PT (The Layer 2 Tunneling Protocol)
  30. What are the two components of L2TP?
    • 1. L2TP Access Concentrator (LAC)
    • 2. L2TP Network Server (LNS)
  31. Is responsible for terminating the local network connection and tunneling PPP packets to the LNS.
    L2TP Access Concentrator
  32. Is situated on the remote end of the connection and terminates the PPP connection originating from the LAC.
    L2TP Network Server (LNS)
  33. Is a suite of protocols used primarily to encrypt VPN communications over the Internet. It provides several security benefits for authentication, data integrity, and confidentiality for remote VPN access. It utilizes a shared public key encryption method to create an encrypted communications tunnel between two VPN endpoints, including  client-to-server and server-to-server connections. The client can remotely connect to a network from anywhere it has Internet access, and all its network traffic is sent through the encrypted tunnel while this type of VPN is active.
  34. What are the 14 Authentication Protocols?
    • 1. PAP (Password Authentication Protocol)
    • 2. CHAP (Challenge-Handshake Authentication Protocol)
    • 3. LANMAN
    • 4. NTLM/NTLMv2
    • 5. Extensible Authentication Protocol
    • 6. RADIUS (Remote Authentication Dial-In User Service)
    • 7. LDAP (Lightweight Directory Access Protocol)
    • 8. SAML (Security Assertion Markup Language)
    • 9. TACACS (Terminal Access Controller Access-Control System)
    • 10. Kerberos
    • 11. 802.1X
    • 12. Certificates
    • 13. HOTP/TOTP
    • 14.Biometrics
  35. Is the most basic type of authentication that consists of comparing a set of credentials, such as a user name and a password, to a central table of authentication data. If the credentials match, the user is granted access. Is most often used with dial-up remote access methods using PPP, such as connecting to an ISP or Remote Access Services (RAS) that supports PPP.
    PAP (Password Authentication Protocol)
  36. What are the advantages and disadvantages of PAP?
    Although the password tables used by PAP are encrypted, the actual communications between the client and authentication server are not, allowing the user name and password to be sent over the network in clear text. This can easily be captured by an unauthorized user monitoring the network. Typically used for dial-up authentication, PAP is also the default authentication protocol within Hypertext Transfer Protocol (HTTP). Because of PAP's weaknesses, CHAP is usually used in place of PAP.
  37. Is much more secure than PAP. Once the communication link is completed, the authenticating server sends a random value to the client. The client sends back the value combined with the user name and password credentials, plus a predefined secret, calculated using a one-way hash function. The server compares the response against its own calculation of the expected hash value. If the values match, the client is granted access
    CHAP (Challenge-Handshake Authentication Protocol)
  38. What are the advantages and disadvantages of CHAP?
    CHAP provides protection against replay attacks, which are used by hackers to capture data and then resend it again. To prevent this type of attack, CHAP uses an incrementally changing identifier and a variable challenge value, and the authentication can be repeated any time while the connection is open using the new identifiers. Microsoft has its own version of CHAP called MSCHAP, which extends the funcationality of CHAP for Microsoft networks. The latest version, MSCHAPv2, provides stronger security for remote access connections and resolves issues present in earlier versions of MSCHAP.
  39. is used by older versions of Windows Server (such as Windows NT) for encrypting user passwords for authentication purposes. The hashing system used (LM hash algorithm) is easily subverted via a brute-force attack in which a password can be cracked in only a few minutes or hours
    LANMAN (LAN Manager)
  40. Was created as an improvement to the original Microsoft LANMAN implementation and combines challenge/response authentication with message digest hashed passwords that are transmitted between the clients and authenticating servers.
    • NTLM and NTLMv2
    • NTLM version 1 uses MD4 hashing, while version 2 (introduced in Windows NT Service Pack 4) uses keyed-Hash Message Authentication Code (HMAC)-MD5 hashing and is more secure than version 1. Since Windows 2000 and the growth of Active Directory-based implementations, Microsoft has implemented Kerberos authentication, but NTLM is still used for authentication purposes in cases where Windows networks are run without Active Directory domains or any other type of third-party authentication service.
  41. Is primarily used in wireless networks, but it can also be used in traditional LANs and remote access methods to extend PPP authentication. The framework provides an extension of the types of authentication protocols that are typically used in PAP and CHAP methods. For example, instead of simple user name and password, additional methods can be used, such as tokens, Kerberos, biometrics, and Transport Layer Security (TLS).
    Extensible Authentication Protocol
  42. Is the most common Internet standard used for authenticating clients in a client/server environment. When the remote user accesses a network through a remote access device, the user is authenticated by a RADIUS server that compares the user's authentication credentials against those of the server's database. If the credentials match, the user is granted access to the rest of the network. The client's credentials that are sent to the RADIUS servers also include accounting and reporting functions that can monitor and log data on each connection, such as packet and protocol types as well as length of time connected.
    RADIUS (Remote Authentication Dial-In User Service)
  43. Is used to look up information in a database for other users and network resources. The directory database itself can consist of a wide variety of information, including not only basic user contact information, such as email addresses or phone numbers, but also objects, such as printers and computers. Some directory services are used to configure and control access to every single network resource object on the entire network or to contain a centralized database of logins and passwords.
    LDAP (Lightweight Directory Access Protocol)

    With such a critical collection of network data, security is of prime importance when using directory access protocols such as LDAP. All LDAP servers have some security controls in place for allowing read and update access to the directory database. Typically, all users can read most of the information held in the database, but only a few users have update privileges. Large directories usually have multiple information administrators who have access to update only information pertaining to their departments or regions.
  44. How does a client access LDAP?
    • For a client to access an LDAP server, it must first be authenticated, unless the server allows anonymous connections. This type of access control allows the LDAP server to decide exactly what the client can access and what information it can update.
    • Most LDAP servers support the use of encrypted secure channels to communicate with clients, especially when transferring information such as user names, passwords, and other sensitive data. LDAP servers use the Secure Sockets Layer (SSL) protocol (also called LDAPS, or sometimes also Secure LDAP) for this purpose.
  45. NOTE: Remember that LDAP (unencrypted) uses TCP port 389, LDAP over SSL uses TCP port 689, and LDAP over TLS uses TCP port 636.
  46. Allows the transfer of information about an individual--specifically, who they are (authentication) and what they have access rights to (Authorization)--between identity and service providers.
    SAML (Security Assertion Markup Language)
  47. What are the three roles provided by SAML?
    • 1 The identity provider (typically a user)
    • 2. The service provider (such as an ISP or an application service provider).
    • 3. The service provider requests information from the identity provider; SAML 2.0 supplies a token containing assertions, or a packet of information about a principle upon receipt. The service provider then makes a decision to allow or deny access to the requested service. If authenticated, the service is provided to the identity (user).
  48. Is an older type of authentication protocol that's similar to RADIUS. A remote access user connects to a network and is authenticated by the TACACS server before being allowed access to the network's resources.
    TACACS (Terminal Access Controller Access-Control System)
  49. What are the three versions of TACACS that has been used?
    • 1. TACACS: The original protocol, which performs both authentication and authorization.
    • 2. XTACACS: Extended TACACS, which builds on TACACS by separating the functions of authentication, authorization, and accounting.
    • 3. TACACS+ This added the use of both a user name and password for authentication or other authentication methods, such as Kerberos or dynamic passwords through security tokens. All communications are encrypted.
  50. What are the disadvantages of TACACS?
    Unfortunately, the TACACS protocols have several security vulnerabilities, including a weak encryption algorithm. This has decreased its use in favor of the standards-based RADIUS authentication protocol.
  51. Is an authentication system that uses a special key ticket assigned to the client that is embedded in all its network data to identify the client to other clients on a nonsecure network. It uses a symmetric key cryptography, where the same key used to encrypt a message is used to decrypt the message.
  52. How does Kerberos work?
    The Kerberos client needs to authenticate only once to the Kerberos server, which provides the client with a ticket that proves to other clients on the network that it has been authenticated. This type of authentication requires a Kerberos server to authenticate clients and manage the tickets assigned to them. This is also its weakness, as all the keys are stored on the Kerberos server, it is compromised or crashes. the security of the entire Kerberos authentication system is compromised or unavailable to authenticate clients.
  53. Is a port-based authentication mechanism for devices connecting to wired or wireless networks. Its goal is to provide a centralized authentication framework for LANs and wireless LANs (WLANs) that includes wired clients, wireless clients, and the wireless access points that connect them to the network.
    IEEE 802.1X Standard
  54. How does 802.1X work for wired connections?
    For wired LANs, 802.1X is implemented on network devices such as switches to provide access control by authenticating connecting clients based on the user or system identity. You can then allow or block network connectivity and apply network access policies based on this authentication.
  55. How does 802.1X work for wireless connections?
    • In WLANs, a client automatically connects to the closest access point and then authenticates to the network by directly communicating with the network's native authentication. Unfortunately, unless the LAN is protected with a strong encryption method, the client can perform certain network functions without authentication, such as a ping request.
    • Using 802.1X, when a client connects to an access point, the wireless port is set to an unauthorized state so it can't perform any network functions, which include receiving an IP address from a Dynamic Host Configuration Protocol (DHCP) server. The access point then asks the client for authentication credentials. Once received, this data is forwarded to an authentication server running a service such as RADIUS. IF the client is accepted as an authorized user, then the client port on the access point is switched to an authorized state and normal communications can commence.
  56. Are a form of mutual authentication that uses a third party to establish the identity of a user for access control purposes. It is like a digital piece of paper that contains a user's credentials. Are used primarily with secure web communications and encryptions.
  57. Can be used to generate one-time password values often used to authenticate users via an authentication server. This standard was developed as an interoperable, two-factor algorithm to be used across a variety of platforms, both commercial and open source.
    HOTP (HMAC-based One-time Password)

    You will often hear HOTP and variant algorithms referred to as "two-step authentication" within many web applications.
  58. Extends the general HOTP concept through the adoption of a time-based factor, generally measured in seconds. Adding the element of time means that even a second difference will mean a totally different value for two passwords generated.
    TOTP (Time-based One-time Password)
  59. Uses a unique physical attribute, such as a fingerprint, voice scan, or retinal scan, to identify a user. Initially, the user requesting access must have the respective attribute scanned so a perfect copy is on file for comparison when the user tries to gain access in the future.
  60. What are the 6 most common types of biometrics?
    • 1. Palm/Fingerprint scan
    • 2. Hand geometry scan
    • 3. Retinal/Iris Scan
    • 4. Voice scan
    • 5. Facial Scan
    • 6.Signature scan
  61. What are the advantages to Biometrics?
    Although typically available only to extremely high-security installations because of the high costs, biometric access control offers the most complete and technologically advanced method for securing access.
  62. No fingerprints are alike. A user must place his hand on a biometric scanner that compares it to the palm scan fingerprints on file for that user. This is the most effective of all biometric methods.
    Palm/Fingerprints scan
  63. The size and shape of a person's hand vary significantly among different people. Similar to a fingerprint scan, the user places his hand on a biometric scanner, which measures the length and width of the hand, including the sizes of the fingers.
    Hand geometry scan
  64. A person's retina is a unique attribute, similar to a fingerprint. The user must place his eye to a device that projects a light beam into the eye to capture the retinal pattern.
    Retinal/Iris scan
  65. The voice is also a unique characteristic for each user. By recording the user speaking a set of access words, the captured voice print can be compared to the same spoken words the next time the user tries to gain access.
    Voice Scan
  66. A facial scan records the unique characteristics of each user's face, such as bone structure and the shape of eyes and nose. These characteristics can be captured in the scan and compared to the facial scan on file.
    Facial Scan
  67. Considered one of the weakest types of biometric security, a signature scan records the written signature of a user and then compares it to subsequent signatures when the user attempts to gain access. Two types of signature scans exist: static and dynamic. A static scan merely compares the two signatures for accuracy and can't be considered rigorous. A dynamic scan can record the motions of the signature using electrical signals. These unique characters make a dynamic signature scan much more reliable.
    Signature Scan
  68. You must set up a secure authentication and encryption method for your remote users. Most users are remote salespeople who connect to the company's networks from home networks or hotel Internet connections. Which of the following methods would you use?
    A. 802.1X
    B. Kerberos
    D. VPN
    D. VPN

    The VPN is able to encrypt your communications while providing authentication to an authentication server. This is especially important for users connecting remotely over the Internet from insecure locations.
    (this multiple choice question has been scrambled)
  69. You are tasked with creating a high-security authentication system for physical access control to a military installation. Which of the following authentication systems would be most appropriate?
    A. Biometric eye scan
    B. Security badge
    C. Smart card and PIN
    D. Encrypted login and password
    A. Biometric eye scan

    For high-security installations, biometrics is an extremely secure method to authenticate users based on unique physical characteristics.
    (this multiple choice question has been scrambled)
  70. You are setting up an LDAP server that will provide secure, encrypted authentication services. Which of the following protocols and ports do you use?
    A. LDAP on TCP port 389
    B. LDAPS on TCP port 689
    C. LDAP on TCP port 689
    D. LDAPS on TCP port 389
    B. LDAPS on TCP port 689

    When you use LDAPS (which uses TCP port 689), the authentication takes place over an encrypted channel to prevent the capture of authentication credentials.
    (this multiple choice question has been scrambled)
  71. You are at home and have received a call from your office that one of your mail servers is down. You have set up a secure, encrypted remote access method to an administrative computer at your office. Which of the following remote access methods do you use?
    A. HTTP web login
    B. Dial-up
    C. Telnet
    D. VPN
    D. VPN

    The VPN method provides a secure, encrypted channel over the Internet to your organization's private network.
    (this multiple choice question has been scrambled)
  72. You have several home users with Internet access who require remote access to your organization's network. Which of the following remote access and authentication technologies would be the most secure?
    A. Telnet access to a local password database
    B. Dial-up access to a Kerberos server
    C. VPN authenticated to a RADIUS server
    D. Wireless access to an LDAPS server
    C. VPN authenticated to a RADIUS server

    By using a VPN to a RADIUS server, you ensure that your communications are encrypted and that secure authentication takes place to the RADIUS server.
    (this multiple choice question has been scrambled)
  73. A web services provider has suggested improving their security through the implementation of two-factor authentication. What would the most likely authentication method be?
    A. SAML
    C. TOTP
    D. ISDN
    C. TOTP

    Time-based One-time Passwords (TOTP) allow users to log into a system with a user name and password combination and then a one-time token, usually generated from a separate device.
    (this multiple choice question has been scrambled)
  74. You are creating an authentication mechanism for physical access to a high-security government building. The high-security nature of the facility requires at least a three-factor authentication model. Which of the authentication types do you use?
    A. Smart card, PIN, and fingerprint scan
    B. Biometric eye scan
    C. Smart card and PIN
    D. ID badge and password
    A. Smart card, PIN, and fingerprint scan

    For a three-factor authentication model, you need at least three different types of authentication. A biometric eye scan, while extremely secure, is still only a one-factor system, while the other methods are only two-factor, such as a smart card and a PIN.
    (this multiple choice question has been scrambled)
  75. After a user is identified and authenticated to the system, what else must a performed to enable the user to use a resource?
    A. Biometric scan
    B. Encryption of network access
    C. Authorization
    D. Authentication by token
    C. Authorization

    Although a user has been given access to log in to the network, he still needs to be authorized to use a particular resource based on access permissions.
    (this multiple choice question has been scrambled)
  76. SAML implementations have three basic roles: the identity, the identity provider, and the ________.
    A. Service Provider
    B. Internet Provider
    C. Authorization Provider
    D. Authentication Provider
    A. Service Provider

    The service provider takes the token passed from the identity provider and either accepts and provides services to the users or denies the request and does not.
    (this multiple choice question has been scrambled)
  77. You are setting up a single sign-on authentication system for a large enterprise network of 5000 users. Which of the following authentication methods would you use?
    A. Local login and password database
    B. LDAP server
    C. Login and password with a security token
    D. Smart card with PIN number
    B. LDAP server

    An LDAP server provides a centralized authentication database that can be used to securely authenticate a user to multiple services on the same network. This is the most efficient and secure method for a large network of 5000 users. Other methods would require tedious configuration and management of each individual user.
    (this multiple choice question has been scrambled)