CISSP考试指南笔记：5.6 访问控制手段和技术

Constrained User Interfaces

Constrained user interfaces restrict users’ access abilities by not allowing them to request certain functions or information, or to have access to specific system resources. Three major types of constrained user interfaces exist: menus and shells, database views, and physically constrained interfaces.

Remote Access Control Technologies

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides client/server authentication and authorization, and audits remote users.

TACACS

Terminal Access Controller Access Control System (TACACS) has been through three generations: TACACS, Extended TACACS (XTACACS), and TACACS+. TACACS combines its authentication and authorization processes; XTACACS separates authentication, authorization, and auditing processes; and TACACS+ is XTACACS with extended two-factor user authentication.

TACACS uses fixed passwords for authentication, while TACACS+ allows users to employ dynamic (onetime) passwords, which provides more protection.

RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in cleartext.TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol.

The RADIUS protocol combines the authentication and authorization functionality.

TACACS+ uses a true authentication, authorization, and accounting/audit (AAA) architecture, which separates the authentication, authorization, and accounting functionalities.

Diameter

Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks.

Diameter protocol consists of two portions. The first is the base protocol, which provides the secure communication among Diameter entities, feature discovery, and version negotiation. The second is the extensions, which are built on top of the base protocol to allow various technologies to use Diameter for authentication.

Diameter uses TCP and AVPs, and provides proxy server support.

Diameter has the functionality and ability to provide the AAA functionality for other protocols and services because it has a large AVP set.

Diameter provides the AAA functionality, as listed next.

Authentication:

• PAP, CHAP, EAP
• End-to-end protection of authentication information
• Replay attack protection

Authorization:

• Redirects, secure proxies, relays, and brokers
• State reconciliation
• Unsolicited disconnect
• Reauthorization on demand

Accounting:

• Reporting, roaming operations (ROAMOPS) accounting, event monitoring

剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记：5.6 访问控制手段和技术