1. In an Internet Banking Financial Institution is Single Factor Authentication acceptable? Why or why not?Yes it can be acceptable because you can buff up security elsewhere.2. Explain the difference between Positive Verification and Negative Verification?Negative verification is the opposite of positive verification. The customer must contact the bank to verify that the information is correct.
3. What vulnerabilities are introduced by implementing a Remote Access Server?Could Allow Remote Code Execution, two heap overflow, cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user.4. What is a recommended best practice when implementing a Remote Access Policy server user authentication service?Using multi-factor authentication.5.
Name at least 3 remote access protections or security controls that must be in place to provide secure remote access.Authorized secure remote access, Traffic inspection and Coordinated Threat Control, Centralized security management and enterprise-wide visibility and control.6. When dealing with RADIUS and TACACS+ for authentication methods, what protocols are used at Layer 4 for each of these techniques?UDP for RADIUS and TCP for TACACS+7.
In TACACS+ communications, what part of the packet gets encrypted and which part is clear text?MD5 for encryption and XOR for clear text8. In RADIUS authentication, what is the purpose of the “Authenticator”?To provide a modest bit of security.9. Which of these two, RADIUS and TACACS+, combines both authentication and authorization?RADIUS10.
Is combining authentication and authorization a less or more robust way of handling authentication? Explain.Authentication and authorization must work in tandem to provide effective security. Without authentication, there would be no way to determine if individuals are who they claim to be. Without some sort of authorization in place, it may not matter who they claim to be — as with no authorization in place, essentially anyone could access anything simply by telling the truth about who they are.Week 4 Lab Part 2: Align Appropriate PKI Solutions Based on Remote Access and Data Sensitivity Assessment Worksheet Align Appropriate PKI Solutions Based on Remote Access and Data SensitivityLab Assessment Questions & Answers 1.
Where can you store your public keys or public certificate files in the public domain? Is this the same thing as a Public Key Infrastructure (KI) server?The storage location is called the certificate store. Yes2. What do you need to do if you want to decrypt encrypted messages and files from a trusted sender?Cipher3. When referring to IPSec Tunnel Mode, what two types of headers are available, and how do they differ?AH and ESP header.
ESP provides encryption, authentication and the packet processing rules and AH does not provide encryption.4. Provide a step by step progression for a typical Certificate Enrollment process with a Certificate Authority.Authenticating the client or user.
Creating a PCKS #10 request. Posting the request. Retrieving the certificate.5. When designing a PKI infrastructure what are the advantages and disadvantages of making the CA available publicly over the Internet or keeping it within the private network?Advantages in a private network: Supports cross-certification of other CA server hierarchies on the Enterprise Corporate Private Enterprise private network. The CA server is protected from public access, and from intrusion or DoS attacks from the public Internet.
Disadvantages in a private network:Requires a slightly more complicated VPN router configuration. Because the CA server can not be reached on the public Internet, enrolling a new branch requires a VPN administrator to certificate enroll the VPN routers in one of the following ways: Locally in the enterprise campus prior to shipping them to a remote location Over an IPSec pre-shared tunnel connection.Interactively through cut-and-paste certificate enrollment over a telnet/ssh session to a remote VPN router. Because the CA server cannot be reached from the public Internet it cannot be used for other Cisco-specific applications that have public X.509 certificates requirements. Advantages in a public network:Provides a CA server that can be used for IPSec tunnels or other Cisco-specific applications that have public X.
509 certificates requirements. Provides the simplest enrollment for the VPN endpoint routers. Provides for cross-certification of other CA servers hierarchies on the public Internet. Disadvantages in a public network:Because the CA server is available to the public it is a possible target for intrusion or DoS attacks. Precautions must be taken to protect the server.
6. Designing a PKI involves several steps. Per the Windows Best Practices for Designing a PKI, what are those steps? In your own words, explain what each step is meant to do.Outline the business scenario: Shows what parts of the job do what. Define the application certificate requirements: Write down the certification requirements.
Create certificate policies and practices statements: Create policies and practices and write them down. Design the certification authority infrastructure: Come up with the infrastructure to build a stable CA. Create a certificate renewal strategy: Come up with a new way for the certificates if something goes wrong. Develop a CA management plan: Come up with a way to maintain the CA plan from risks.
7. When deploying a PKI, it is important to understand how many CAs will be necessary to properly implement the infrastructure. Provide 3-5 important considerations that must be taken into account before deploying a PKI for a large environment.Future applications you may need to support, cost, resources you have to manage the PKI solution, level of security, and flexibility and scalability.
8. What is the main function of the certutil.exe command line tool available in Microsoft Windows?Displays information about the digital certificates that are installed on a DirectAccess client, DirectAccess server, or intranet resource.9.
What is the OpenSSL project and their mission?It is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Their mission is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.10. What is the purpose of Single Sign-on? Provide one example of how it benefits security and one example as to how it can increase security risk.Property of access control of multiple related, but independent software systems.
Benefit is reducing password fatigue from different user name and password combinations. A risk is that it increases the negative impact in case the credentials are available to other persons and misused.