Chpater 4 Access Control Models and AAA Protocols

Questions and Answers

What three elements comprise an Access Control Model (ACM)?

• Account, Resource, Policies
• Subject, Object, Permissions (correct)
• User, Resource, Privileges
• Entity, Access Rights, Roles

What feature distinguishes content-dependent access control?

• It grants permissions based solely on user identity.
• It interfaces with hardware for physical security.
• It restricts access based on the content of the resource. (correct)
• It uses the time of access request to authorize actions.

Which of the following describes context-dependent access control?

• It allows unrestricted access during specific time periods.
• It relies solely on user roles for access decisions.
• It uses the content of the resource to determine access.
• It considers contextual information alongside user identity. (correct)

What is one primary function of AAA protocols?

To provide monitoring and accounting for user actions. (D)

Which AAA protocol is primarily known for providing network access services?

RADIUS (C)

Which RFCs specify the authentication and authorization components of RADIUS?

RFC 2865 and RFC 2866 (A)

In the context of RADIUS, what role does the client play?

It is the access server receiving the access request. (A)

What could an ACM potentially resemble?

A collection of access control lists or capabilities tables (D)

What does the concept of 'implicit deny' in an authorization policy imply?

Transactions are denied if no rules are specified. (A)

In a Mandatory Access Control (MAC) environment, what determines whether a subject can access an object?

The subject's security clearance compared to the object's classification. (C)

Which statement is true regarding Discretionary Access Control (DAC)?

DAC allows object owners to define access permissions. (C)

Which of the following defines the principle of 'need to know' in authorization policies?

Subjects receive access strictly to fulfill their job duties. (D)

Which of the following scenarios exemplifies the least privilege principle?

A user with read access can view files but cannot make changes. (B)

What is a common use case for Mandatory Access Control (MAC)?

Sensitive government or military systems requiring confidentiality. (B)

Which of these best describes the role of an Access Control List (ACL) in a DAC system?

To specify which users or groups can access particular objects. (D)

What is the interaction between a subject's and an object's security labels in a MAC environment?

The subject must have a clearance equal to or greater than the object's classification. (A)

What are the three primary authorization models mentioned?

Object capability, Security labels, Access control lists (D)

How does the authorization process determine access rights?

By checking permission associated with the subject/object pair (C)

Which model is characterized by embedding mandatory access controls in object and subject properties?

Mandatory access control (A)

In the context of SAML and the Duo Access Gateway, what is the role of the identity provider (IdP)?

To authenticate users and manage credential verification (A)

What does object capability rely on to grant access in its authorization model?

An unforgeable reference and an operational message (A)

Which of the following is NOT a characteristic of security labels in authorization?

They can specify user roles (B)

What is the primary purpose of an authorization policy?

To govern how access rights and permissions are assigned (C)

What component aids Duo in providing multifactor authentication for VPN users?

Cisco ASA or Cisco Firepower Threat Defense devices (B)

Flashcards

Implicit Deny

If there's no specific rule for a subject/object interaction, the authorization policy automatically denies access.

Need to Know

Subjects should only have access to objects if their job requires that access.

Mandatory Access Control (MAC)

Access controls set by policy, not changeable by the owner of the resource.

Security Label (MAC)

Object's classification and category (e.g., Secret, Flight Plans).

Discretionary Access Control (DAC)

Access control rules set by the object's owner.

ACL (DAC)

Owner-created list specifying who can access an object and what permissions they have.

Cumulative Permissions (DAC)

Permissions granted to a user can be added together.

Least Privilege (general)

Subjects should have only the minimum necessary access required to do their jobs.

SAML

A protocol that lets a service rely on an identity provider to authenticate users.

Duo Access Gateway

A system that provides two-factor authentication for enterprise applications.

Authorization

The process of assigning permissions to authenticated users.

Object Capability

A security model where access rights are based on a combination of a unique identifier and a message.

Security Labels

Mandatory access control tags assigned to subjects and objects to enforce access restrictions.

Access Control Lists (ACLs)

Lists that define permissions based on specific criteria like user ID, group, location, etc.

Subject/Object Pair

The combination of a user and the resource they are trying to access.

Authorization Policy

A set of rules that defines how access permissions are granted.

Access Control Matrix (ACM)

A table that represents the permissions granted to subjects (users) on objects (resources). Each row represents a subject, each column represents an object, and the cell where they intersect shows the permissions the subject has on that object.

Content-Dependent Access Control

This type of control uses the information (content) within a resource to make an authorization decision. It's often used in databases, where a view might restrict the information shown based on the user's role.

Context-Dependent Access Control

This type of control uses contextual information, like the time of day or the user's location, to make access decisions. It goes beyond just user identity.

AAA Protocols

Protocols that handle Authentication, Authorization, and Accounting for network access and resource usage.

RADIUS

A network protocol specifically for authentication, authorization, and accounting, mainly used for network access.

TACACS+

A widely used network access protocol like RADIUS, but with more features and security capabilities.

Diameter

A modern protocol used for AAA and other networking services, evolving to replace RADIUS in modern networks.

What is a database view?

A database object that presents a subset of data from one or more tables, often used to restrict the information a user can see. It can be thought of as a window into the database

Study Notes

Chapter 4: Authentication, Authorization, Accounting (AAA) and Identity Management

• Topics Covered: Introduction to Authentication, Authorization, and Accounting; Authentication (knowledge, ownership, biometrics, multifactor, SSO); Authorization (object capability, security labels, ACLs); Accounting (auditing and monitoring); Infrastructure Access Controls; AAA Protocols (RADIUS, TACACS+); Cisco Identity Service Engine (ISE).

Authentication

• Definition: Verifying the identity of a user or device.
• Types:
  • Authentication by knowledge (e.g., password, PIN).
  • Authentication by possession (e.g., token, smart card).
  • Authentication by inherence/characteristics (e.g., biometric).
• Multifactor Authentication (MFA): Combining multiple factors for stronger security.
• Single Sign-On (SSO): Allowing a user to access multiple systems with one set of credentials.

Authorization

• Definition: Granting access rights to authenticated users or devices.
• Models:
  • Object Capability: Programmatic access based on unforgeable references and actions.
  • Security Labels: Mandatory access controls based on object and subject properties (e.g., confidential, secret, top secret).
  • Access Control Lists (ACLs): Define access based on criteria like user IDs, group memberships, location, or dates.

Accounting

• Definition: Auditing and monitoring user activity after resource access.
• Purpose: Tracking security events for later review and incident investigation.

Infrastructure Access Controls

• Components: Physical and logical network design, border devices, communication mechanisms, host security settings.
• Importance: Thoroughly monitor infrastructure for security threats. Respond appropriately to suspicious activity.

AAA Protocols

• RADIUS: Client-server protocol that uses UDP ports 1812 (auth/authz) and 1813 (accounting).
• TACACS+: Cisco proprietary protocol that uses TCP port 49 for authentication, authorization, accounting. Offers more granular control than RADIUS.
• Diameter: Newer protocol addressed in RFC 6733, used for network access and offers more reliability compared to RADIUS, used for higher-level network access.

Cisco Identity Service Engine (ISE)

• Centralized AAA Policy Engine: Manages authentication and authorization for various devices and applications.
• Integration: Cisco ISE integrates with multiple Cisco and third-party systems.
• Features: Visibility of network access, consistent access control enforcement, support for many authentication methods (e.g., RADIUS, TACACS+, Duo).

Description

Test your knowledge on Access Control Models (ACM) and AAA protocols. This quiz covers essential components of ACM, the differences in access control types, and specific features of RADIUS. Challenge yourself with questions that highlight key concepts in network security and access management.