Chpater 4 Access Control Models and AAA Protocols

Questions and Answers

What three elements comprise an Access Control Model (ACM)?

Account, Resource, Policies

Subject, Object, Permissions (correct)

User, Resource, Privileges

Entity, Access Rights, Roles

What feature distinguishes content-dependent access control?

It grants permissions based solely on user identity.

It interfaces with hardware for physical security.

It restricts access based on the content of the resource. (correct)

It uses the time of access request to authorize actions.

Which of the following describes context-dependent access control?

It allows unrestricted access during specific time periods.

It relies solely on user roles for access decisions.

It uses the content of the resource to determine access.

It considers contextual information alongside user identity. (correct)

What is one primary function of AAA protocols?

To provide monitoring and accounting for user actions.

Which AAA protocol is primarily known for providing network access services?

RADIUS

Which RFCs specify the authentication and authorization components of RADIUS?

RFC 2865 and RFC 2866

In the context of RADIUS, what role does the client play?

It is the access server receiving the access request.

What could an ACM potentially resemble?

A collection of access control lists or capabilities tables

What does the concept of 'implicit deny' in an authorization policy imply?

Transactions are denied if no rules are specified.

In a Mandatory Access Control (MAC) environment, what determines whether a subject can access an object?

The subject's security clearance compared to the object's classification.

Which statement is true regarding Discretionary Access Control (DAC)?

DAC allows object owners to define access permissions.

Which of the following defines the principle of 'need to know' in authorization policies?

Subjects receive access strictly to fulfill their job duties.

Which of the following scenarios exemplifies the least privilege principle?

A user with read access can view files but cannot make changes.

What is a common use case for Mandatory Access Control (MAC)?

Sensitive government or military systems requiring confidentiality.

Which of these best describes the role of an Access Control List (ACL) in a DAC system?

To specify which users or groups can access particular objects.

What is the interaction between a subject's and an object's security labels in a MAC environment?

The subject must have a clearance equal to or greater than the object's classification.

What are the three primary authorization models mentioned?

Object capability, Security labels, Access control lists

How does the authorization process determine access rights?

By checking permission associated with the subject/object pair

Which model is characterized by embedding mandatory access controls in object and subject properties?

Mandatory access control

In the context of SAML and the Duo Access Gateway, what is the role of the identity provider (IdP)?

To authenticate users and manage credential verification

What does object capability rely on to grant access in its authorization model?

An unforgeable reference and an operational message

Which of the following is NOT a characteristic of security labels in authorization?

They can specify user roles

What is the primary purpose of an authorization policy?

To govern how access rights and permissions are assigned

What component aids Duo in providing multifactor authentication for VPN users?

Cisco ASA or Cisco Firepower Threat Defense devices

Study Notes

Chapter 4: Authentication, Authorization, Accounting (AAA) and Identity Management

• Topics Covered: Introduction to Authentication, Authorization, and Accounting; Authentication (knowledge, ownership, biometrics, multifactor, SSO); Authorization (object capability, security labels, ACLs); Accounting (auditing and monitoring); Infrastructure Access Controls; AAA Protocols (RADIUS, TACACS+); Cisco Identity Service Engine (ISE).

Authentication

• Definition: Verifying the identity of a user or device.
• Types:
  • Authentication by knowledge (e.g., password, PIN).
  • Authentication by possession (e.g., token, smart card).
  • Authentication by inherence/characteristics (e.g., biometric).
• Multifactor Authentication (MFA): Combining multiple factors for stronger security.
• Single Sign-On (SSO): Allowing a user to access multiple systems with one set of credentials.

Authorization

• Definition: Granting access rights to authenticated users or devices.
• Models:
  • Object Capability: Programmatic access based on unforgeable references and actions.
  • Security Labels: Mandatory access controls based on object and subject properties (e.g., confidential, secret, top secret).
  • Access Control Lists (ACLs): Define access based on criteria like user IDs, group memberships, location, or dates.

Accounting

• Definition: Auditing and monitoring user activity after resource access.
• Purpose: Tracking security events for later review and incident investigation.

Infrastructure Access Controls

• Components: Physical and logical network design, border devices, communication mechanisms, host security settings.
• Importance: Thoroughly monitor infrastructure for security threats. Respond appropriately to suspicious activity.

AAA Protocols

• RADIUS: Client-server protocol that uses UDP ports 1812 (auth/authz) and 1813 (accounting).
• TACACS+: Cisco proprietary protocol that uses TCP port 49 for authentication, authorization, accounting. Offers more granular control than RADIUS.
• Diameter: Newer protocol addressed in RFC 6733, used for network access and offers more reliability compared to RADIUS, used for higher-level network access.

Cisco Identity Service Engine (ISE)

• Centralized AAA Policy Engine: Manages authentication and authorization for various devices and applications.
• Integration: Cisco ISE integrates with multiple Cisco and third-party systems.
• Features: Visibility of network access, consistent access control enforcement, support for many authentication methods (e.g., RADIUS, TACACS+, Duo).

Description

Test your knowledge on Access Control Models (ACM) and AAA protocols. This quiz covers essential components of ACM, the differences in access control types, and specific features of RADIUS. Challenge yourself with questions that highlight key concepts in network security and access management.