MCC CIS270 - Lesson 8

by Admin -
- 5 minutes

Lesson 8 - Identity and Access Management

Key Takeaways

  • Identity assertions - "I am Shane"
  • Authentication - "I can prove I am Shane with this password" (abbreviated authN)
  • Authorization - "Oh hi Shane, here's what you can do"
  • Protocols
    • RADIUS - network access AAA
    • TACACS+ - device administration AAA
    • EAP - a structure on which many variants are built
    • 802.1X - EAP and RADIUS for network access
  • Participants in 802.1X
    • Supplicant - client trying to access a network
    • Authenticator - the device via which they are trying to access the network (switch, access point)
    • Authentication server - receives query from authenticator; responds with result
    • Identity store - single source of truth for user accounts; generally Active Directory
  • Ye Olde Password Wisdom
    • High complexity
    • High length
    • Frequent rotation
  • Updated Password Guidance (NIST)
    • Lower complexity
    • Higher length
    • Limited rotation
  • Authentication Factors
    • Something we know (passwords, passphrases)
    • Something we are (facial recognition, fingerprints)
    • Something we have (phone with authenticator app, RSA token)
  • Access Control Approaches
    • Attribute-Based Access Control (ABAC) - access determined based on attributes like time, location, group, etc.
    • Role-Based Access Control (RBAC) - privileges applied to roles (or groups); users placed in these groups inherit their privileges
    • Rule-Based Access Control (RuBAC) - access determined by lists of rules, such as with firewall rules
    • Mandatory Access Control (MAC) - administrator defines access; users live with it
    • Discretionary Access Control (DAC) - users can manage access to resources they own
  • Filesystem Permissions
    • Linux permissions are simpler
      • User, group, and other (everyone else) can each get read, write, or execute permissions
      • Permissions have different effects depending on whether they're applied to files or directories
    • Windows permissions are wild
      • NTFS (filesystem) permissions are more granular and complex on their own
      • There are also share permissions
      • With file shares, both share and NTFS permissions apply; the most restrictive "wins"
      • Use Effective Access to troubleshoot - spare yourself the pain