- Some of the features of Kerberos authentication system:
1. Uses client-server based architecture.
2. Kerberos server, referred to as KDC (Key Distribution Ceter) implements the Authentication Service (AS) and the Ticket Granting Service (TGS).
3. The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication purpose. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.
- A biometric authentication depends on the physical characteristic of a human being. It is not something that can be remembered. Usually, bio authentication is very secure, though not widely used due to cost constraints.
- The standard 802.1x corresponds to wireless network access protocols. Various wireless LAN protocols are given below:
1. IEEE 802.11 –supports data rate up to 2 Mbps in the 2.4 GHz frequency band.
2. IEEE 802.11a –supports data rates up to 54 Mbps in the 5 GHz frequency band.
3. IEEE 802.11b –supports data rates up to 11 Mbps in the 2.4 GHz frequency band.
4. IEEE 802.3 describes CSMA/CD Ethernet standard.
5. IEEE 802.5 describes Token Ring networks.
6. IEEE 802.4 is a standard for Token bus networks.
Note that IEEE 802.11x is the standard that pertains to wireless LANs.
- IPSec uses authentication Header (AH), and Encapsulating Security Payload (ESP) protocols for transporting packets securely over the Internet. Note that PPTP and L2TP are tunneling protocols, where as IPSec provides strong encryption.
- File Transfer Protocol (FTP) transfers files in unencrypted form. Even the authentication occurs in clear text for FTP and Telnet. A hacker may gain access to an FTP server by exploiting this weakness.
- Netstumbler can be used to sniff wireless networks during wardriving. The software tool provides several details of a wireless network such as SSID. PPTP is a tunneling protocol. WAP is a protocol, and not a software tool. ActiveX is a software component used with Microsoft programming languages such as Visual C.
- Non-repudiation prevents either the sender or the receiver of messages from denying having sent or received a message.
- A secure web page using SSL (Secure Socket Layer) starts with https instead of usual http. SSL uses asymmetric key with 40 or 128-bit cipher strength.
- The host-to-host configuration provides the highest security for the data. However, a Gate-to-Gateway VPN is transparent to the end users.
- Any software is inherently prone to vulnerabilities. Therefore, software manufacturers provide updates or patches to the software from time to time. These updates usually take care of any known vulnerabilities. Therefore, it is important to apply these updates.
Additional functionality is also one of the reasons for applying software updates. However, many times, it is not the compelling reason to apply the updates.
- The Packet Filters work at Network Layer of OSI model.
The Application Layer Proxy works at the Application Layer of OSI model
Network Address Translation (NAT) is primarily used to hide internal network from external network, such as the Internet. A NAT basically translates the internal IP addresses to external IP addresses and vice-versa. This functionality assures that external users do not see the internal IP addresses, and hence the hosts.
A Firewall implemented with stateful technology (like Checkpoint Firewall) works at all layers of the OSI model.
- The employees of a Company typically use Intranet within the Company. The customers and vendors of the Company use Extranet. An Extranet is basically an extension of Intranet using public Internet. A typical use is when a Company has multiple vendors and do the order processing, and inventory control on-line.
Note that, on the other hand, Internet is accessible to everybody, I.e. general public.
The benefit of implementing Intranets and Extranets is security and customization. Intranets and Extranets are relatively safe because general public cannot access these networks. Intranets and Extranets are usually connected securely by means of Virtual Private Network (VPN).
- IDS stands for Intrusion Detection System. There are primarily two types of IDSs. These are Network based IDS (NIDS), and Host based IDS (HIDS). If the IDS monitors network wide communication, it is called Network based IDS, and if the IDS monitors security on a per host basis, it is called Host based IDS.
Server based IDS, and Workstation based IDS are not the correct answers.
- The first thing to be done when an intrusion is detected is to contain the damage. For example, if the intrusion is in the form of an unauthorized user, ensure that the user cannot access any network resource.
- ISAKMP (Short for Internet Security Association and Key Management Protocol) defines payloads for exchanging key generation and authentication data.
- A cryptographic hash function is a "one-way" operation. It is practically not possible to deduce the input data that had produced the output hash.
You can decrypt an encoded message using matching secret key. Similarly, Digital certificate is issued by a CA, and can be decrypted to find the contents of the certificate.
- The disadvantages of using symmetric encryption over asymmetric encryption are given below:
1. Inability to support non-repudiation: Since both the sender and receiver use the same key, it is difficult to determine who is the sender, should a dispute arise.
2. Impractical for web commerce: Imagine thousands of customers buying goods and services over the Internet. If symmetric encryption standard is used, one unique private key-pair needs to be used for each user. It is therefore, impractical.
3. Another major difficult is with the transmission of private key. With symmetric encryption, the private key needs to be transmitted to the other party for decryption, which may pose security risk.
- Whether required or not, several services are installed by default. Disabling the services that are not required will ensure better security for the system.
- A rootkit is a collection of tools that enable administrator-level access to a computer. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to gain root access to the computer and, possibly, other machines on the network.
A rootkit may consist of spyware and other programs that: monitor traffic, keystrokes, etc. using a "backdoor" into the system.
- Computer based access controls prescribe not only who or what process may have access to a given resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices. Different types of access control are:
1. Mandatory access control
2. Discretionary access control
3. Rule based access control
4. Role based access control
Mandatory Access Control (MAC) secures information by assigning sensitivity labels on objects (resources) and comparing this to the level of sensitivity a subject (user) is operating at. MAC ensures that all users only have access to that data for which they have matching or greater security label (or security clearance). In general, MAC access control mechanisms are more secure than DAC. MAC is usually appropriate for extremely secure systems including multilevel secure military applications or mission critical data applications.
Discretionary Access Control (DAC): Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (user name, password, hardware/software token, etc.). In most typical DAC models, the owner of information or any resource is able to change its permissions at his discretion. DAC has the drawback of the administrators not being able to centrally manage these permissions on files/information stored on the web server.
Role Based Access Control (RBAC): In Role-Based Access Control (RBAC), access decisions are based on an individual's roles and responsibilities within the organization. For instance, in a corporation, the different roles of users may include those such as chief executive, manager, executive, and clerk. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy. In Role Based Access Control, the administrator sets the roles. Therefore, this type of access control is sometimes considered as a subset of MAC.
Rule Based Access Control (RBAC): The access to a resource in Rule Based Access Control is based a set of rules. ACLs (Access Control Lists) are used for this type of access control. In Rule Based Access Control, the administrator sets the rules. Therefore, this type of access control is sometimes considered as a subset of MAC.