CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 1: Access Control
- Federated Identity
- Markup Languages
- AAA Protocols
2. CISSPills Table of Contents
Federated Identity
Markup Languages
AAA Protocols
3. CISSPills Federated Identity
Identity Management is the management of user identities and their credentials. Federated
Identity extends this beyond a single organisation and represents a portable identity, and its
associated entitlement, that can be used across business boundaries. Multiple organisations can
join a federation, or group, where they agree upon a method to share identities among them.
Users in each organisation can log on once in their own organisation and their credentials are
matched with a federated identity. They can use this federated identity to access resources in
any other organisation within the federation.
Users authenticate to Organisation A
Users are authenticated to
Organisation B
Users are authenticated to
Organisation C
Users are authenticated to
Organisation D
4. CISSPills Markup Languages
Having multiple organisations communicating together can pose numerous challenge because
each company has different infrastructures, systems, etc. For this communications to work, it is
key finding a common language that allows the organisation to talk to each other.
A markup language is a way to structure text and data, as well as to instruct how these will be
viewed and used. Markup languages also enable interoperability, which in turns allow different
systems (and organisations) to interoperate. Below is a list of common markup languages:
Extensible Markup Language (XML): is a universal and foundational standard that provides
a structure for other independent markup languages to be built, while still allow for
interoperability. Several markup languages have been derived from XML and each of them
has its own functionalities; however, if they follow the core rules of XML, then they are
interoperable;
5. CISSPills Markup Languages (cont’d)
Security Provisioning Markup Language (SPML): is an XML-based framework designed
to exchange user information for federated identity single sign-on. It’s based on the
Directory Service Markup Language (DSLM), which can display LDAP-based directory
service information in an XML format. SPML allows for the automation of user management
(e.g. account creation, deletion, etc.), as well as access entitlements. There are three
component making up SPML: the Requesting Authority (RA) - which is the entity making
the request, the Provisioning Service Provider (PSP) – which responds to the entity
request and the Provisioning Service Target (PST) – which carries out the provisioning
activity on the target system;
Security Assertion Markup Language (SAML): is an XML-based language used to
exchange authentication and authorisation information among federated organisations. In
SAML, users (called principals) authenticate against an entity called Identity Provider
(IdP); while the other entities, belonging to the same federation but consuming the
authentication performed by the IdP, are called Service Providers (SP);
Extensible Access Control Markup Language (XACML): is used to define security policies
and access rights in XML format; it’s usually used to implement Role-Based Access Controls.
It provides assurance that the same rights are granted to different roles across the entities
within the same federation. XACML is both an access control policy language and a
processing model to interpret and enforce such policies.
6. CISSPills AAA Protocols
Some protocols are designed to provide Authentication, Authorisation and
Accountability (AAA). They are usually deployed with remote access systems (e.g.
dial-up and VPNs) and provide centralised access control.
Remote Authentication Dial-In User Service (RADIUS): is a client-server
protocol. The access server (e.g. a VPN concentrator) requires the user’s
username and password and then passes them to the RADIUS server, which
verifies if the credentials are correct.
The client and the access server negotiate the authentication protocol (PAP, CHAP,
etc.) over a PPP connection; whilst the access server and the RADIUS server talk
over the RADIUS protocol. RADIUS supports user profiles, which can be
assigned to authenticated users to control what resources they can access.
RADIUS can also be implemented with callback security; if deployed in this way,
once users successfully log in, the RADIUS server terminates the connection and
initiates a call back to the user’s predefined phone number.
RADIUS only encrypts the exchange of password and doesn’t encrypt the entire
session.
7. CISSPills AAA Protocols (cont’d)
Terminal Access Controller Access Control System (TACACS): was designed
as an alternative to RADUS; it was later extended by Cisco (Extended TACACS –
XTACACS) as a proprietary protocol. A further version, TACACS+, was later
created as an open protocol; this last one is the most adopted version.
TACACS+ introduces several enhancements over its preceding versions, as well
as RADIUS:
It separates the authentication, authorisation and accounting into separate processes,
which could be hosted on separate servers;
It encrypts all the authentication information, not just the password;
It support two-factor authentication;
It uses TCP, which provides a higher level of reliability compared to UDP;
It provides a higher level of granularity when it comes to controlling what users can do
once authenticated,
TACACS+ is a totally different protocol and is not backward-compatible with TACACS and
XTACACS.
8. CISSPills AAA Protocols (cont’d)
Diameter: was designed upon the functionality of RADIUS and overcomes many
of its limitations. It provides the same AAA capabilities as RADIUS and TACACS,
but also provides more flexibility in terms of networks and protocols, including
Mobile IP and Voice over IP (VoIP).
Diameter consists of two portions: the base protocol, which defines header
formats, security options, commands and AVPs. The base protocol allows for
extensions to tie in other services. By doing so, the same protocol can be used to
interoperate with different networks.
RADIUS and TACACS are client-server protocols, which means that the clients
initiates the communication and the server cannot send unsolicited commands.
Diameter is instead a peer-to-peer protocol where both the client and the server
can initiate the communication.
9. CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as much
as I have had fun writing them.
For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> com
More resources:
Stay tuned on for the next issues;
Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details