Authentication: Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.
Authorization: Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.
Accounting: Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.
Kerberos: Kerberos is an authentication system used to authenticate users that log on to a network. Kerberos is an authentication service developed at MIT. Its purpose is to allow users and services to authenticate themselves to each other. The modules used by Kerberos include Authentication Sever (AS), Key Distribution Center (KDC), Ticket Granting Ticket Service (TGT), and Network Time Protocol (NTP). Kerberos is the default authentication protocol in Windows 2000 and later Microsoft OSs. Windows uses a negotiation mechanism to determine which authentication protocol will be used. If the Kerberos default fails or isn't supported by one of the client or server components involved in an authentication, Windows will fall back to NTLM.
RADIUS: Radius is a protocol that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services. It is an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. RADIUS implements a client/server architecture, where typical client is a router, switch, or AP and the typical server is a Windows or Unix device that is running RADIUS software.
TACACS+: TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. We must have access to and must configure a TACACS+ server before the configured TACACS+ features on a network access server are available. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.
Access Control:
1. Wireless LAN with speeds above 1 Gbps, which can be achieved comfortably by 802.11ac (802.11ac is capable of 1300 megabits per second (Mbps) which is the equivalent of 162.5 megabytes per second (MBps)).
2. There are basically two types of secure access available, one is client based and the other is clientless. Client based uses IPSec and other similar technologies. It derives its name from the fact that a client program needs to be installed on the user computer to secure the communication. A clientless remote network access typically uses SSL (secure socket layer) available from withing the browser windows. You don't need to install any client separately.
3. A port based network access control, in short, PNAC. IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols.
Port security: The purpose of port security is to prevent access to the LAN from un-authorized hosts. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.
Access Control Lists (ACL): Access Control List (ACL) refers to a list of ports and services that are available on a host (or a network device such as router), each with a list of hosts and/or networks permitted to use the service. Both nodes (work stations or servers) as well as routers can have access lists. Access lists are used to control both inbound and outbound traffic.
MAC Filtering: In computer networking, Media Access Control MAC Filtering (or EUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
Multifactor Authentication (MFA): is a method of confirming a user's claimed identity in which a computer user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism
It is very important to know the distinction between Hashing, Digital signature, and Encryption:
Two main types of encryption are asymmetric encryption (also called public-key encryption) and symmetric encryption:
A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message. A digital signature can be used with encrypted or even un-encrypted message. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
There are three types of cryptographic algorithms that are commonly used. They are:
1. Hashing algorithms
2. Symmetric key-based algorithms
3. Asymmetric key-based algorithms
1. Hashing algorithms: Hashing is not an encryption scheme, but ensures that the transmitted data is not tampered with. Common hash algorithms include the following:
2. Symmetric algorithms: As the name suggests, symmetric key algorithms use the same key to encrypt as well as decrypt message. Some of the commonly used symmetric key algorithms are:
3. Assymetric algorithms: Also known as public key algorithms, these algorithms use asymmetric keys for encoding and decoding a message. Given below are some of the popular asymmetric algorithms:
LDAP: The Lightweight Directory Access Protocol is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory.
Local Authentication: LDAP uses TCP 389 for unsecured communication and 636 for secured communication. An LDAP client starts a session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389. Alternatively, a client may access using secure LDAP communication by using an SSL. This is denoted in LDAP URLs by using the URL scheme "ldaps". The default port for LDAP over SSL is 636.
Various port numbers related to these protocols are as given below:
SMB - 445
POP - 110
IMAP - 143
LDAP - 389
LDAPS - 636
H.323 - 1720
