Navigating the complex landscape of authentication frameworks is essential for any cybersecurity professional, especially those preparing for the CISSP exam. This deep-dive episode unravels the intricate world of authentication systems that protect our digital identities across multiple platforms and services.
We begin by examining OAuth 2.0 and OpenID Connect (OIDC), exploring how these token-based frameworks revolutionize third-party authentication without exposing user credentials. When you click "Login with Google," you're experiencing these protocols in action—reducing password reuse while maintaining security across digital services. Learn the difference between authorization flows and how these systems interact to verify your identity seamlessly across the web.
The podcast then transitions to Security Assertion Markup Language (SAML), breaking down how this XML-based protocol establishes trust between identity providers and service providers. Through practical examples, we illustrate how SAML enables web single sign-on capabilities across educational institutions, corporate environments, and cloud services—creating that "connective tissue" between disparate systems while enhancing both security and user experience.
Kerberos, MIT's powerful network authentication protocol, takes center stage as we explore its ticketing system architecture. Named after the three-headed dog of Greek mythology, this protocol's Authentication Service, Ticket Granting Service, and Key Distribution Center work in concert to verify identities without transmitting passwords across networks. We also discuss critical considerations like time synchronization requirements that can make or break your Kerberos implementation.
For remote authentication scenarios, we compare RADIUS and TACACS+ protocols, highlighting their distinct approaches to the AAA (Authentication, Authorization, and Accounting) framework. Discover why network administrators choose UDP-based RADIUS for general network access while preferring the TCP-based TACACS+ for granular administrative control with command-level authorization and full payload encryption.
Whether you're studying for the CISSP exam or looking to strengthen your organization's security posture, this episode provides the knowledge foundation you need to implement robust authentication systems in today's interconnected world. Visit CISSP Cyber Training for additional resources to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:30):
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is Memorial Day and todaywe are pretty excited about
being able to share some greatopportunities and things that
are going on within CISSP, butwe also want to express our
gratitude for the folks thathave served and died.
Within our country, at least inthe United States, one of the
most free world countries,there's people that have given
(00:51):
their lives and sacrificed theirlives for the betterment of
society.
So of all that, it's animportant time for us to
remember these folks as our, atleast in the United States.
Our country would not be hereif it was not for them.
So Memorial Day is a prettysolemn day here in the United
States.
That being said, we're going tobe talking about some
interesting things as far as itrelates to domain 5-6 of the
(01:13):
CISSP exam, and before we getstarted with that, I had an
article that I saw as it relatedto NIST.
Now, one of the areas that I'mrunning into, as it comes down
to working with differentcompanies, is metrics.
Yes, metrics are an importantpart of all organizations, and
if you can't measure it wellthen how do you know you really
did it.
So it's an important thing thatfor you to, when you're
(01:34):
thinking about how do I bestprotect my company, how do I, as
a senior leader, help.
I give information to them, andmetrics is a big part.
Now this came out from theNational Institute of Standards
and Technology here in theUnited States and they're
introducing a new metric.
Now I don't know if you allknow what the Trump
administration pretty muchgutted a big chunk of the NIST
environment, but I guess thismetric was one that's made it
(01:57):
through its way.
Now they created a white paper,a technical white paper around
it that was published May 19th.
Now the thing about it is ittalks around likely exploited
vulnerabilities to help yourorganization determine,
basically, if a productvulnerability is out there for
it.
Now it prioritizes those byfocusing on the most likely to
(02:18):
be exploited and it uses CVSS.
So it uses your CommonVulnerability Scoring System and
it's designed to look for anyshortcomings with the CVSS that
may not adequately reflectwhat's actually going on in
real-world exploitation.
So there is a gap, right.
So there's analysis that goeson.
Is it actually what's occurringout there in the real world, is
(02:39):
it not?
Now this uses a different kindof sources from threat
intelligence feed, exploiteddatabases and then real-world
attack data to determine thepotential likelihood that this
may occur to the product thatit's going after.
So the interesting part is goingto be is how will this actually
play out?
Now they've given some areas inhere saying that there's a
(03:02):
30-day window in which it getsmost of the data from Outside
the 30-day window.
Yeah, all bets are off.
It does have some challengesrelated to the overall product
itself and it does say that itdoesn't really know how well
this is all going to play out.
One of the things I think downhere at the bottom of the list
it does talk about exploitedwithin 30 days will not receive
(03:23):
a score.
Anything outside of that willreceive a score.
So actually I was mistaken whenI said that, but anything
outside the 30 days will get thescore, but if it's within the
30 days, it will not get thescore.
An interesting part is justgoing to be I would highly
recommend you go out and readthe white paper as you're
putting together metrics foryour organization.
You want to see if this issomething that maybe you want to
put on your radar and thinkabout it a little bit.
(03:44):
I think it's going to take sometime as it gets flushed out
within NIST and within variousother entities out there
security platforms that aretrying to look for different
vulnerabilities We'll see how itgets adopted but potentially
another vulnerability or anothermetric that could be used to
help determine how at risk yourorganization is.
And I think, as a person who'sconsulting with very large
(04:07):
companies, metrics are a bigthing, but we also know that
metrics are not utilized much atall.
So I would highly recommendthat, if you haven't gotten into
metrics within yourorganization, start looking at
some of those.
Mean time to detect, mean timeto respond.
Some of those aspects I thinkwill be really valuable for you
to really truly understand whatis the risk to your organization
.
So just a question, maybe aquestion or pose into the group
(04:31):
if something you might beinterested in and looking into.
Okay, so let's move on to whatwe're going to talk about today.
Okay, so this is domain 5.6,implementing authentication
systems and all of these videosvideos, again, as we talked
about before, are all availableon cissp, cyber training.
So what is this?
Open id, connect, oidc and openauthorization or oauth.
(04:53):
So what the basic context ofall this is is these are
standard authenticationframeworks that are used for
what they call token-basedauthentication, and this
provides your user like SeanGerber.
It provides my account data tothird-party services such as
Google, facebook, and you'veseen this a lot.
When you're logging intosomething, it says which
(05:14):
credentials do you wanna use?
Do you wanna use Google?
Do you wanna use Facebook?
Some other credentials that areout there, or, if you have the
username and password, that's apossibility as well.
So it doesn't reveal the useraccount credentials to this
third party, but it basicallysays that they are giving you
the thumbs up, that you are theright person, because there's an
access token that gives thatspecific information on to
(05:34):
whatever company it is toauthorize you.
Now, this gain of this gainingof this token is called the
authorization flow.
Now, oauth 1.0 was released in2007, and it was basically put
together for the Twitter API.
In 2010, oauth 2.0 was released, but it was not backward
compatible to OAuth 1.0.
(05:55):
So the ultimate goal, though,is we are at OAuth 2.0.
Authorization flow is allowedfor mobile apps, short-lived
tokens and simplified signatures.
You will deal with OAuth a lotin your cybersecurity world.
You'll hear people talk aboutit all the time, and just think
about it as it's your singlesign-on capability to be able to
transfer those, federate, thosecredentials from outside the
(06:16):
organization into theorganization.
So it's a great tool that'savailable for people to be able
to use.
Now, oaf operations this doesallow end users access to one
app, to data store, to another,without re-entering your
credentials, like we kind oftalked about.
So if you enter into I know, ifI want to log into, um, we'll
just say facebook.
Well, facebook, somethingeveryone but let's say, whatever
(06:38):
website you want to go to, itwill pop up.
Do you want to use your googleauthentication or something else
that allows using that onecredential, so you don't have
password reuse and you have thataccess into that overall system
.
Now the secure, authenticauthorizations for the users who
have already been authenticateddoes reduce the friction right.
It also reduces the fact, likeI just mentioned earlier, of
(06:59):
having password reuse.
Now, I don't know, we all havedealt with that.
I know I have it as well, butwe've all dealt with password
reuse and the goal is to moveaway from that as much as
possible.
Why?
Because one the passwords thatwe do reuse on a routine basis
have been compromised.
So the moment that you put apassword in that's been
compromised.
You're now in a situation whereyou're automatically adding a
(07:21):
level of, you're accepting alevel of risk that you may not
want to do and, as a securityprofessional, it's imperative
that you talk to your peopleabout this to ensure that they
don't have password reuse andyou provide them tools to help
them in this situation.
But this is a great way withOAuth is that you can then have.
You don't have to worry aboutthat as much because they have
(07:41):
been authenticated to thatprovider.
Now, oauth 2.0 has four specificrules.
It's a resource owner, and thisis the user that grants access
to the protected source.
You have a client.
It is the current applicationbeing used.
You have a resource server.
This is where the externalapplication that needs to be
(08:01):
integrated, such as your Google,your Dropbox, facebook and all
those.
That is what they call aresource server.
And then you have yourauthorization server.
This is responsible forauthorizing resources which are
allowed for access.
Once you get access to thewhatever that is going to be,
then now what is the actualauthorization you are allowed to
gain access to?
You can contact one server forauthorization and pull resources
(08:24):
from a separate server becauseof the intertwined and the
federated access that theseallow.
Now, these supports for processflows, and we won't go into the
process flows specifically, butsomething for you to consider
is client credential flow,authorization code flow,
resource owner password flow andimplicit flow of a form post.
So these are the differenttypes of flows that you can gain
(08:47):
access to utilizing OAuth andOAuth 2.0.
Now, openid Connect.
This was developed in 2005 as asecurity specification for
single sign-on, and OpenIDallows for authentication
services and websites toexchange security details based
on a standard framework thanwhich they agreed to.
(09:08):
Now, in 2014, this new versionwas named OpenID Connect or OIDC
, and this is where it wascreated.
This strengthens OAuth 2.0because it does allow the
extension or the credentialexchange between the different
entities, the differentfederated frameworks, and it
does allow for interoperability,identity management and overall
(09:29):
support.
So the goal was to have endusers have the ability to log in
just once across differentmultiple resources and use the
security credentials to do that.
Now, potentially, it's a betterway for organizations to replace
their on-prem access management.
I've dealt with this.
What it comes down to is maybeyou have a ping ID and, rather
than having ping ID and thenhaving something else, they will
(09:50):
then opt to go to an oidc modelwhich will work with oauth, and
then you can utilize yourgoogle passwords into your
organization, and it's a betterway to replace your on-prem
access management solutions thatyou may not want to have two
different tools and pay for them.
You may want to integrate thisoidC model into your environment
.
Not everybody wants to do that.
(10:14):
Some people like to have thisseparate ability to control some
of those access.
So, like in the case of Ping ID, you now, as an enterprise,
would have the ability tocontrol who gains access to what
within your organization.
Whereas it deals with OIDC,there's some of that
restrictions, or some of thatcapability is restricted or
pulled away from you.
Now there are other ways tostop access right, but it does.
It takes a little bit of thatout of your hands, and so that's
(10:36):
why some companies may or maynot move down to this path.
Now, oidc Connect some of theoperations and how it's worked.
It's currently supported bymany web services Google, paypal
, etc.
And the main focus of this isauthenticating users, and OIDC
does specifically use OAuth 2.0specifications.
Okay, so it does.
They're integrated in many ways.
(10:58):
Now can you operate them bothseparate?
Yes, but OIDC working togetherwith OAuth 2.0 works very, very
well the authentication withcryptographic signed tokens,
sharing user profile informationand there's other features that
help resolve some of thesecurity issues they had with
OAuth 2.0 by marrying these twotogether.
So again, oidc, oauth 2.0.
(11:22):
Now, security assertion markuplanguage.
Now, what is SAML?
So security assertion markuplanguage, otherwise known as
SAML, is an open standard forexchanging authentication and
authorization data betweenvarious security domains.
Now it does allow you to loginto once to a website or
service and then it accesses theother different websites or
(11:43):
services that you need to loginto.
It's also known as web singlesign-on.
As an example, the military Ihave a place that I go and I log
into that one website and thatone website then will carry the
credentials to multiple othermilitary websites that I have,
and so it's basically a websingle sign-on capability.
That would be under SAML.
So SAML Connection.
(12:04):
Now it was developed by OasisSecurity Services in a committee
in the early 2000s, designedspecifically for web
applications, and what is it?
The ultimate purpose that itsolves is it uses Google's
workspace for email.
Like, so say, you use GoogleWorkspace for your email
capability, but a separatevendor for your learning
management or your LMS systemand then potentially another one
(12:26):
for career services.
Without SAML, you would need tolog into these separately, and
so that's an important partwhere SAML will allow you to
integrate between the two andthese different web services.
It solves the building of atrust relationship between the
different organizations and thedifferent login systems, because
your school's login system thencould tell the LMS yes, you've
already logged in with theschool.
(12:47):
Now the LMS will allow you inSame with the fact is, the
school will tell you with yourcareer services.
It is using that trustrelationship, and it's that SAML
is an important part of theoverall connectivity between
these, and I was with a guy theother day and he made a comment
about the connective tissue.
Right, so you have, your bodyhas got connective tissue and
muscles.
(13:07):
Well, this stuff is theconnective tissue that puts it
all together.
Now, one of the core ideas isassertions and trust, which we
talked about before.
Saml works by exchangingspecifically formatted XML,
which is your extensible markuplanguage messages called
assertions.
So it's basically exchangingassertions back and forth, and
(13:27):
this is basically a statementfrom one system.
This is who they say they areand these are the permissions
they should have, and they'retelling these systems back and
forth and that is what thisassertion is relying on Now
relies on pre-established trustbetween the systems involved.
If you don't have that trust,obviously this won't work, but
it does help reduce the frictionof people logging on and
(13:47):
transferring from credentialsfrom one to the next.
It really truly does also helpminimize the overall password
reuse.
It does help immensely withthat.
I would also highly recommendthat you do, if you haven't at
this point got some sort ofpassword manager to basically
help keep any additionalpasswords that you can't
necessarily use in this format.
(14:09):
Now how SAML works.
This is basically you're aperson trying to log in.
Okay, the service provider orthe website will want to ask you
for information, like we talkedabout your school's LMS, your
cloud service, whatever.
It is the system thatauthenticates your identity,
your school's login server.
That's the identity provider,okay, okay, so you have your
(14:30):
service provider, which isproviding the service, and then
you have your identity provider.
The SAML assertion is like averified ID card, and now we
know in the United States wehave our whatever that is on
your ID.
You have the gold star, right.
They're the identity providerthat issues this card.
And then, when the serviceprovider sees this situation,
they will then trust it as andlet you in without asking any
(14:51):
more credentials.
They say, yep, that's you, youare now allowed in, and this
really makes it super nice, butthere are challenges that come
with this.
It's just imperative, though,that you understand what is the
overall ecosystem and how itworks together.
Now, simplified web SSO flow.
You have access requests.
The user's trying to access aprotected app, a protected
(15:13):
application, basically theservice provider.
You will then.
The service provider willrealize you're not logged in and
will do a redirect to yourbrowser that has the identity
providers page.
You've seen this before, whereyou're going to try to log in
and it says oh, that's, I don'tknow who you are.
At this point, I'm going topitch you off to this identity
provider or this hey, this isGoogle's authentication page.
(15:35):
You then log into the identityprovider using your username and
password, right, so?
Or, and potentially MFA, if youhave that, which I highly
recommend but you then log inwhat and?
After that occurs, and after asuccessful authentication, the
identity provider will give do aSAML assertion that verify the
verified id card, and it willsend this back to your web
(15:56):
browser saying yes, sean is whohe says he is, then you're then
redirected to the serviceprovider, which is where you
wanted to go in the first place.
That's automatically done foryou.
So once this all is provided,and once it's all attested to,
then you're basically allowedaccess in.
If for some reason it's not,then you will be denied access
(16:17):
to it at that point.
But the goal is that it'staking care of you and now it's
keeping that token that, yes,sean has logged in and it's
keeping that for a period oftime and it will.
Then, if I log into anotherapplication, that the trust is
there, that assertion will gowith it.
So what are the benefits of SAML, cross-domain single sign-on,
right?
So if you've got multiplewebsites, multiple organizations
(16:39):
, it does give you that abilityto do single sign-on across
these different locations.
It also improves the userexperience, right.
We no need to remember multiplepasswords or log in repeatedly.
It's a huge factor, right?
And the security piece of thisa centralized authentication,
scattered credentials, passwordreuse, right Avoids a lot of
that.
And especially when you get toa point where, if you're not
(17:02):
using a password manager of somekind, your password reuse is
monkey butt one, two, three andthen you get to a new location,
you go well, now it'smonkeybutt1234, with an
exclamation point, somethinglike that.
That's how it ends up happeningif you get these situations
where you're just not keepingtrack of all your credentials.
So some important otherconsiderations is web-based
(17:22):
focus, primarily designed forweb applications and
browser-based interactions.
There is some complexityrelated to it when you're doing
an initial setup and it requirescareful configuration to
establish these truss betweenthe IDPs and the SPs.
It does.
It takes someone who's skilledwith doing this, otherwise
you're just going to getfrustrated and it won't work.
So it's an imperative part ofthis that you really have good,
(17:44):
careful configurations and it isconfigured in a way that the
credentials cannot becompromised.
Kerberos Now we're into Kerberosand this is where a network
authentication protocol thatdoes provide strong
authentication for client-serverapplications using a secret key
, crypto.
So that's the Kerberos.
So it's a little bit different,but it's basically dealing with
between client to servers rightA lot of times within your
(18:06):
organization.
This allows users to provetheir identity to network
services like file servers oremail, without sending their
passwords over the network.
So you log in once and nowKerberos has got you taken care
of Now.
It was developed by MIT in the80s and its names comes from the
three-headed dog, the Greekmythology, kerberos right?
(18:27):
So it's a guard of theunderworld and it's basically
saying, yes, we have three maincomponents and because these
three main components, we aregoing to make the dog that will
keep you protected.
That's the ultimate goal ofKerberos right?
So what does it solve?
So let's just say, for example,you need to access a lot of
different services emails, files, printers, you name it right On
(18:48):
one specific network.
Well, without Kerberos, youmight have to basically send
your username and password toeach of these services over and
over again, which can be oneobviously intercepted, and two
can be extremely annoying.
So the goal of this is toprovide some level of single
sign-on experience where youprove your identity once and
then these tickets are used toaccess other services securely.
(19:09):
Now we do talk about this in thehacking side of the world.
There was the golden ticket,which, if you take your ticket,
it could then basically take inthat Kerberos authentication and
you could become that person.
Those were some vulnerabilitiesthat happened many, many years
ago on some older type systems,but it's the same concept, right
?
It's a ticket that allows youto gain access to these
(19:30):
different types of serviceswithin a single network.
Now, the core idea around thisis that it's a trusted.
It uses a trusted third party,a special specific server used
to verify your identity, andinstead of passwords, you get
these tickets to prove that whoyou are and other services.
They're like a temporary pass,the golden ticket that lets you
log into different parts of yournetwork without showing your id
(19:53):
every time.
So it's like going to disneyworld and you have your golden
ticket, your pack pass orwhatever they call that pass,
and it allows you in to all thedifferent rides.
Same kind of concept.
And this is where it's atrusted third party.
Now, how does it actually work?
So your network services youwant to access, so you've got
your client as your computer,your server that you want to get
(20:14):
access to.
Then there's another term thatyou may hear and you may see on
the CISSP exam is called keydistribution center.
Now, key distribution centersare used a lot, not just within
Kerberos, but you'll get themwithin the cloud environment.
They are something that willmaintain and manage server keys.
Now, a central Kerberos serverhas two main parts an
authentication service and aticket granting service, tgs.
(20:38):
So, authentication service, asand a ticket granting service,
tgs.
So again, the AS verifies yourlogin.
Your ticketing service gives youthe tickets, the golden tickets
, to allow you access to thespecific services.
So you like again we talkedabout there with the ticketing.
It's in a gonna be in a movie.
If you paid for the movie, youhave your ticket.
(20:58):
By walking into the movietheater, which I just went and
saw, a movie.
It now says, yes, you're beingallowed.
Now the fact is is that youcould view I don't know if you
all seen tickets in today'sworld there there are QR codes
that are on your phone.
Can those be potentially hacked?
Well, they are, but they're notas easy.
In the past you could make aticket look like the legitimate
ticket and people wouldn'treally even know.
(21:20):
You just go here's my ticket.
Let me in.
Now they get scanned.
They get all kinds of aspectsthat are done with a movie
ticket.
Same concept, right?
It can't be easily faked orreused for a different movie
because of the fact that it'susing its cryptographic
functions for that.
Now you have simplifiedauthentication flow.
What does this mean?
So you're basically, when youinitially log on, you, the
(21:42):
client enter in your usernameand password of the computer and
your computer then sends anauthentication service request
to the KDC, to your keydistribution center, the ticket
granting ticket.
If your login is correct, theauthentication server will give
your computer a specialticketing granting ticket.
Tgt, the ticketing grantingservice, will do this.
Your TGT is your proof thatyou've been authenticated to the
(22:05):
KDC.
So again, lots of acronyms.
So if you're going to go toCISSP Cyber Training, you can
actually see all the videothat's there.
You request this service ticketwhen you want access to a
specific network service.
This is where you request thisdone and the ticketing granting
service on the KDC will thensend your ticket to the TGS on
(22:26):
the KDC the service ticket thatwas out there.
The TGS then gives yourcomputer a service ticket
specifically for that fileserver.
So it then passes you sayingyes, I've authenticated you.
I'm now going to give you theservice ticket and now you can
access that specific file serverAccessing the service.
Your computer then sends theservice ticket directly to the
(22:48):
file server and the file serverthen relies or verifies that the
ticket of the KDC then grantedyour access.
So there's this back and forth.
So you get the AS gives you aTGT.
The TGT then goes to the TGS tomake sure that, yes, you are
who you say you are and thatthey agree because the KDC
verified your authentication.
The TGS then turns around andgives a service ticket.
The service ticket then is sentto this file server directly
(23:19):
and the file server thenverifies yes, sean is allowed
access and then life is good.
That is the flow.
Now the ticket granting ticketcan be intercepted and if it
didn't have those cryptographicfunctions built into it, it
could potentially be copied andreused, which there were some
vulnerabilities with that in theearly years.
Like I mentioned before, thepoint of it is Kerberos is a
complicated process that isbehind the scenes that in many
ways we don't even see it.
(23:39):
We don't see it happening, butthere's a lot of great
authentication that's occurringto ensure that Sean is exactly
who Sean says he is.
Now some of the benefits ofKerberos you have strong
security, right passwords arenever sent across the network in
their initial, after initial,login.
You have single sign-on log inonce.
Access many services.
There are some importantconsiderations time
(24:01):
synchronization all thecomputers in the Kerberos system
must have their clockssynchronized extremely close and
you'll you'll know that there'sa clock service that's set up
right or time service.
Kdc's availability.
If the KDC goes down, no onecan get new tickets, so
redundancy is crucial if you'rerelying on Kerberos, so you need
to understand time, so yourtime server.
(24:22):
And two, you need to have KDCup and available at all times.
Okay, so now we're going to getinto remote authentication,
radius and TACACs.
These are the last parts we'regoing to talk about in this
section.
So, remote authentication, sothe challenges of remote access.
As we know, after COVID, peoplenow we can.
We've more than ever.
People work anywhere,everywhere, using various
(24:43):
devices, from laptops to phones,you name it.
They have access.
You got Starlink, you are inbusiness anywhere in the globe.
The problem is how do you makesure that only authorized people
can access the resources, nomatter where they are.
They're no longer sitting in adata center somewhere.
They're actually maybe in thePhilippines, I don't know.
The point of it is how do youensure that the right people are
(25:03):
gaining access?
So a solution to this is theCentral Authentication,
authorization and Accountingsystems.
These are AAA systems.
You'll see this in the CISSP,where that's authentication,
authorization and accounting.
Authentication who are youProving your identity with the
username and password?
Authorization, what are youallowed to do, defining your
(25:26):
permissions and then accounting.
What did you do?
Keeping records of youractivity right.
It's always good to haveaccounting and audit available,
making sure that you did whatyou're supposed to do.
So when you're dealing with thesolution, it's the AAA system.
You'll hear about that.
It's authentication,authorization and accounting.
Who are you, what are youallowed to do and what did you
do when you were there?
(25:47):
Now you enter in RadissonTACACS.
Okay, so there's two mainprotocols or sets of rules that
make the centralized AAApossible.
They act as the security guardat the door of your network.
Checking IDs and permissions andunderstanding them is really a
key part of ensuring that youhave a secure, manageable
network within your organization, especially for your remote
(26:08):
access users.
So, radius this this is RemoteAuthentication Dial-In User
Service.
Yeah, dial in right.
Wow, that's a blast from thepast, but RADIUS is still used,
even though that has a lot ofconnotations from many years
gone by.
It is used in many, manyorganizations and it's designed
for network authentication.
And accounting, especially whenyou're dealing with Wi-Fi, is
(26:29):
an important part where you'lldo with RADIUS servers a lot,
and if you're connecting to acompany VPN or so forth you will
use a RADIUS server.
So how does this all work?
Well, let's say, for example,you want to connect to a network
access server, so a NAS, andthis could be done through your
Wi-Fi router, whatever you wantto be, but you want to connect
to a NAS.
The NAS asks the RADIUS serveris this user allowed in?
(26:53):
Basically with your credentials.
The RADIUS server then willcheck your identity against the
database.
That's yes, that's there, andit'll then say yes or no, yeah,
whatever it is.
I was going to say it inRussian, but I can't even
remember what the word is.
No, yes or no, it's either one,right, da?
Yeah, I think that's yes, daneat, or something like that.
(27:14):
Yeah, see, I can't even speakRussian.
I think I just watched MissionImpossible.
I should know that, right.
But the point of it is is thatit is allowing you access to
these systems.
It's used through a Radiusserver and then remote access
yes or no will be allowed intothat database, if, or that NAS
server.
If the database comes back andsays yes, you can do that.
Now some key features of theRADIUS server it uses UDP, so
(27:37):
it's fast.
It's much more fast than in theTCP connection, but it's less
reliable, right?
So it's like sending a postcard, but it could get lost, but not
typically, for sometimes, youknow.
But UDP is not necessarily onepostcard.
It's like a lot of postcards,right?
It's just it's.
You're throwing out all allkinds of stuff at you.
(27:58):
Now it combines authentication,authorization.
So when you say Radius, it saysyou're in.
It combines the authenticationand the authorization piece of
this and it grants you a levelof access to your organization.
It is widely supported.
Almost all network devices workwith RadDIUS and it's been
around for a long time.
And that's why because it is souseful.
It's great for Wi-Fiauthentications, vpns and
general network access.
(28:18):
So again, radius servers,you'll see them.
They are deployed in manydifferent formats.
So what is TACACS?
Tacacs is a Terminal AccessController, access Control
System Plus.
Right, that's a lot of words.
Tacacs, terminal AccessController, access Control
System.
You got access control in theretwice, right?
(28:39):
Well, the primary purpose ofthis is securing administrative
access to network devices suchas routers, switches, firewalls.
They will use TACACS Plus to dothis.
So how does this work?
Well, an administrator will tryto log on to a network device,
ie a router, right?
The device asks the TACACSserver is this admin allowed to
log in your authentication pieceof it when the TACACS server
(29:03):
says, yes, you're in, right.
Well, is this admin specificcommand?
That's your authorization pieceof it.
Now it's going to say yes or no, right, the server records
every command executed and itgives you that accounting piece
of it as well.
So you have authenticationsaying is this person allowed?
You have the authorization, isthat, is this admin allowed to
run this specific command?
(29:24):
And then the last part is isthis is all kept and recorded,
so again for future usepotentially.
That is the simplified versionof how TACACS works.
So some key differences,obviously, between TACACS and
RADIUS.
The features around this is itis TCP Okay, it doesn't use UDP
and it utilizes TCP One for abetter connection, guaranteed
(29:49):
delivery.
It's crucial for criticaladministrative tasks that you
need a TCP, an establishedconnection.
It separates AAA.
This is how it works is it hasauthentication, authorization
and accounting all separate anddistinct steps, not like the
other pieces where they're allbundled together in one step.
This has got them in specificsteps.
That is much better, especiallyfor dealing with managerial
(30:12):
type of activities.
It has full encryption.
The entire communication pathis encrypted, making it very
secure, obviously because you'regoing to be doing
administrative tasks.
It's got command levelauthorization allows you to
control exactly what commandsthe administrator can run on
that device so you can limitwhat this person can or cannot
do.
It's great for IT staff,network equipment and obviously
(30:33):
ensuring you have strict controlover who can make the changes
within your organization.
That is TACACS.
So again, if you're dealingwith Radius versus TACACS,
primary use of Radius usernetwork access, tacacs device
administration, that's more theadmin type of activities
Reliability, udp with RADIUS,tcp with TACACS the control
(30:56):
levels is a session levelauthorization versus the TACACS
does command level authorizationvery granular.
And then encryption is passwordonly for RADIUS and then in
TACACSx the entire payload isencrypted.
So best practices for securingyour triple a related to these
is one strong secrets.
Obviously using long uniquepasswords or shared keys for
(31:19):
both protocols is an importantpart.
Link your radius and tacxservers to a central user
database, such as activedirectory for centralized access
.
Review your logs regularly.
You should have this going intoyour sim or you should be
looking them on a regular, suchas Active Directory for
centralized access.
Review your logs regularly.
You should have this going intoyour SIM or you should be
looking them on a regular basis,especially when you're dealing
with TACACs to look for anypotential suspicious activity.
If you have an AI componentwithin your organization, allow
(31:41):
your AI activity to be able tolook at the logs associated with
both of these RADIUS and TACACs.
Redundancy always have a backupRadius and TACAC servers in the
case of one fails.
Virtualized systems are animportant part.
If you have one that's anon-prem type system, do you have
the ability to maybe roll thatto a virtual version and then
(32:01):
add MFA for an extra layer ofsecurity?
I do recommend, obviously,adding MFA to anything that you
do in any sort of protocol thatyou have out there dealing with
security.
It's an important factor in allof this is MFA is added as an
additional security tool.
Okay, these are the referenceswe have for today's lesson.
(32:22):
Thank you so much for joining metoday on CISSP Cyber Training.
I hope you guys got a lot outof this.
It's a great time together.
If you guys are spending timeon Memorial Day, enjoy your
family, enjoy what people havedone for you in this country.
If you are looking to get yourCISSP, go to CISSP Cyber
Training.
Go check out what I've got atCISSP Cyber Training.
It's awesome stuff for you.
You will love it.
(32:43):
It's incredible.
A lot of great informationthat'll help you pass the CISSP
exam the first time.
That's what we want.
We want you to pass the CISSPthe first time and move on with
your cybersecurity career.
So again, thank you so much forjoining and we will catch you
all on the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(33:04):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(33:27):
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:30):
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is Memorial Day and todaywe are pretty excited about
being able to share some greatopportunities and things that
are going on within CISSP, butwe also want to express our
gratitude for the folks thathave served and died.
Within our country, at least inthe United States, one of the
most free world countries,there's people that have given
(00:51):
their lives and sacrificed theirlives for the betterment of
society.
So of all that, it's animportant time for us to
remember these folks as our, atleast in the United States.
Our country would not be hereif it was not for them.
So Memorial Day is a prettysolemn day here in the United
States.
That being said, we're going tobe talking about some
interesting things as far as itrelates to domain 5-6 of the
(01:13):
CISSP exam, and before we getstarted with that, I had an
article that I saw as it relatedto NIST.
Now, one of the areas that I'mrunning into, as it comes down
to working with differentcompanies, is metrics.
Yes, metrics are an importantpart of all organizations, and
if you can't measure it wellthen how do you know you really
did it.
So it's an important thing thatfor you to, when you're
(01:34):
thinking about how do I bestprotect my company, how do I, as
a senior leader, help.
I give information to them, andmetrics is a big part.
Now this came out from theNational Institute of Standards
and Technology here in theUnited States and they're
introducing a new metric.
Now I don't know if you allknow what the Trump
administration pretty muchgutted a big chunk of the NIST
environment, but I guess thismetric was one that's made it
(01:57):
through its way.
Now they created a white paper,a technical white paper around
it that was published May 19th.
Now the thing about it is ittalks around likely exploited
vulnerabilities to help yourorganization determine,
basically, if a productvulnerability is out there for
it.
Now it prioritizes those byfocusing on the most likely to
(02:18):
be exploited and it uses CVSS.
So it uses your CommonVulnerability Scoring System and
it's designed to look for anyshortcomings with the CVSS that
may not adequately reflectwhat's actually going on in
real-world exploitation.
So there is a gap, right.
So there's analysis that goeson.
Is it actually what's occurringout there in the real world, is
(02:39):
it not?
Now this uses a different kindof sources from threat
intelligence feed, exploiteddatabases and then real-world
attack data to determine thepotential likelihood that this
may occur to the product thatit's going after.
So the interesting part is goingto be is how will this actually
play out?
Now they've given some areas inhere saying that there's a
(03:02):
30-day window in which it getsmost of the data from Outside
the 30-day window.
Yeah, all bets are off.
It does have some challengesrelated to the overall product
itself and it does say that itdoesn't really know how well
this is all going to play out.
One of the things I think downhere at the bottom of the list
it does talk about exploitedwithin 30 days will not receive
(03:23):
a score.
Anything outside of that willreceive a score.
So actually I was mistaken whenI said that, but anything
outside the 30 days will get thescore, but if it's within the
30 days, it will not get thescore.
An interesting part is justgoing to be I would highly
recommend you go out and readthe white paper as you're
putting together metrics foryour organization.
You want to see if this issomething that maybe you want to
put on your radar and thinkabout it a little bit.
(03:44):
I think it's going to take sometime as it gets flushed out
within NIST and within variousother entities out there
security platforms that aretrying to look for different
vulnerabilities We'll see how itgets adopted but potentially
another vulnerability or anothermetric that could be used to
help determine how at risk yourorganization is.
And I think, as a person who'sconsulting with very large
(04:07):
companies, metrics are a bigthing, but we also know that
metrics are not utilized much atall.
So I would highly recommendthat, if you haven't gotten into
metrics within yourorganization, start looking at
some of those.
Mean time to detect, mean timeto respond.
Some of those aspects I thinkwill be really valuable for you
to really truly understand whatis the risk to your organization
.
So just a question, maybe aquestion or pose into the group
(04:31):
if something you might beinterested in and looking into.
Okay, so let's move on to whatwe're going to talk about today.
Okay, so this is domain 5.6,implementing authentication
systems and all of these videosvideos, again, as we talked
about before, are all availableon cissp, cyber training.
So what is this?
Open id, connect, oidc and openauthorization or oauth.
(04:53):
So what the basic context ofall this is is these are
standard authenticationframeworks that are used for
what they call token-basedauthentication, and this
provides your user like SeanGerber.
It provides my account data tothird-party services such as
Google, facebook, and you'veseen this a lot.
When you're logging intosomething, it says which
(05:14):
credentials do you wanna use?
Do you wanna use Google?
Do you wanna use Facebook?
Some other credentials that areout there, or, if you have the
username and password, that's apossibility as well.
So it doesn't reveal the useraccount credentials to this
third party, but it basicallysays that they are giving you
the thumbs up, that you are theright person, because there's an
access token that gives thatspecific information on to
(05:34):
whatever company it is toauthorize you.
Now, this gain of this gainingof this token is called the
authorization flow.
Now, oauth 1.0 was released in2007, and it was basically put
together for the Twitter API.
In 2010, oauth 2.0 was released, but it was not backward
compatible to OAuth 1.0.
(05:55):
So the ultimate goal, though,is we are at OAuth 2.0.
Authorization flow is allowedfor mobile apps, short-lived
tokens and simplified signatures.
You will deal with OAuth a lotin your cybersecurity world.
You'll hear people talk aboutit all the time, and just think
about it as it's your singlesign-on capability to be able to
transfer those, federate, thosecredentials from outside the
(06:16):
organization into theorganization.
So it's a great tool that'savailable for people to be able
to use.
Now, oaf operations this doesallow end users access to one
app, to data store, to another,without re-entering your
credentials, like we kind oftalked about.
So if you enter into I know, ifI want to log into, um, we'll
just say facebook.
Well, facebook, somethingeveryone but let's say, whatever
(06:38):
website you want to go to, itwill pop up.
Do you want to use your googleauthentication or something else
that allows using that onecredential, so you don't have
password reuse and you have thataccess into that overall system
.
Now the secure, authenticauthorizations for the users who
have already been authenticateddoes reduce the friction right.
It also reduces the fact, likeI just mentioned earlier, of
(06:59):
having password reuse.
Now, I don't know, we all havedealt with that.
I know I have it as well, butwe've all dealt with password
reuse and the goal is to moveaway from that as much as
possible.
Why?
Because one the passwords thatwe do reuse on a routine basis
have been compromised.
So the moment that you put apassword in that's been
compromised.
You're now in a situation whereyou're automatically adding a
(07:21):
level of, you're accepting alevel of risk that you may not
want to do and, as a securityprofessional, it's imperative
that you talk to your peopleabout this to ensure that they
don't have password reuse andyou provide them tools to help
them in this situation.
But this is a great way withOAuth is that you can then have.
You don't have to worry aboutthat as much because they have
(07:41):
been authenticated to thatprovider.
Now, oauth 2.0 has four specificrules.
It's a resource owner, and thisis the user that grants access
to the protected source.
You have a client.
It is the current applicationbeing used.
You have a resource server.
This is where the externalapplication that needs to be
(08:01):
integrated, such as your Google,your Dropbox, facebook and all
those.
That is what they call aresource server.
And then you have yourauthorization server.
This is responsible forauthorizing resources which are
allowed for access.
Once you get access to thewhatever that is going to be,
then now what is the actualauthorization you are allowed to
gain access to?
You can contact one server forauthorization and pull resources
(08:24):
from a separate server becauseof the intertwined and the
federated access that theseallow.
Now, these supports for processflows, and we won't go into the
process flows specifically, butsomething for you to consider
is client credential flow,authorization code flow,
resource owner password flow andimplicit flow of a form post.
So these are the differenttypes of flows that you can gain
(08:47):
access to utilizing OAuth andOAuth 2.0.
Now, openid Connect.
This was developed in 2005 as asecurity specification for
single sign-on, and OpenIDallows for authentication
services and websites toexchange security details based
on a standard framework thanwhich they agreed to.
(09:08):
Now, in 2014, this new versionwas named OpenID Connect or OIDC
, and this is where it wascreated.
This strengthens OAuth 2.0because it does allow the
extension or the credentialexchange between the different
entities, the differentfederated frameworks, and it
does allow for interoperability,identity management and overall
(09:29):
support.
So the goal was to have endusers have the ability to log in
just once across differentmultiple resources and use the
security credentials to do that.
Now, potentially, it's a betterway for organizations to replace
their on-prem access management.
I've dealt with this.
What it comes down to is maybeyou have a ping ID and, rather
than having ping ID and thenhaving something else, they will
(09:50):
then opt to go to an oidc modelwhich will work with oauth, and
then you can utilize yourgoogle passwords into your
organization, and it's a betterway to replace your on-prem
access management solutions thatyou may not want to have two
different tools and pay for them.
You may want to integrate thisoidC model into your environment
.
Not everybody wants to do that.
(10:14):
Some people like to have thisseparate ability to control some
of those access.
So, like in the case of Ping ID, you now, as an enterprise,
would have the ability tocontrol who gains access to what
within your organization.
Whereas it deals with OIDC,there's some of that
restrictions, or some of thatcapability is restricted or
pulled away from you.
Now there are other ways tostop access right, but it does.
It takes a little bit of thatout of your hands, and so that's
(10:36):
why some companies may or maynot move down to this path.
Now, oidc Connect some of theoperations and how it's worked.
It's currently supported bymany web services Google, paypal
, etc.
And the main focus of this isauthenticating users, and OIDC
does specifically use OAuth 2.0specifications.
Okay, so it does.
They're integrated in many ways.
(10:58):
Now can you operate them bothseparate?
Yes, but OIDC working togetherwith OAuth 2.0 works very, very
well the authentication withcryptographic signed tokens,
sharing user profile informationand there's other features that
help resolve some of thesecurity issues they had with
OAuth 2.0 by marrying these twotogether.
So again, oidc, oauth 2.0.
(11:22):
Now, security assertion markuplanguage.
Now, what is SAML?
So security assertion markuplanguage, otherwise known as
SAML, is an open standard forexchanging authentication and
authorization data betweenvarious security domains.
Now it does allow you to loginto once to a website or
service and then it accesses theother different websites or
(11:43):
services that you need to loginto.
It's also known as web singlesign-on.
As an example, the military Ihave a place that I go and I log
into that one website and thatone website then will carry the
credentials to multiple othermilitary websites that I have,
and so it's basically a websingle sign-on capability.
That would be under SAML.
So SAML Connection.
(12:04):
Now it was developed by OasisSecurity Services in a committee
in the early 2000s, designedspecifically for web
applications, and what is it?
The ultimate purpose that itsolves is it uses Google's
workspace for email.
Like, so say, you use GoogleWorkspace for your email
capability, but a separatevendor for your learning
management or your LMS systemand then potentially another one
(12:26):
for career services.
Without SAML, you would need tolog into these separately, and
so that's an important partwhere SAML will allow you to
integrate between the two andthese different web services.
It solves the building of atrust relationship between the
different organizations and thedifferent login systems, because
your school's login system thencould tell the LMS yes, you've
already logged in with theschool.
(12:47):
Now the LMS will allow you inSame with the fact is, the
school will tell you with yourcareer services.
It is using that trustrelationship, and it's that SAML
is an important part of theoverall connectivity between
these, and I was with a guy theother day and he made a comment
about the connective tissue.
Right, so you have, your bodyhas got connective tissue and
muscles.
(13:07):
Well, this stuff is theconnective tissue that puts it
all together.
Now, one of the core ideas isassertions and trust, which we
talked about before.
Saml works by exchangingspecifically formatted XML,
which is your extensible markuplanguage messages called
assertions.
So it's basically exchangingassertions back and forth, and
(13:27):
this is basically a statementfrom one system.
This is who they say they areand these are the permissions
they should have, and they'retelling these systems back and
forth and that is what thisassertion is relying on Now
relies on pre-established trustbetween the systems involved.
If you don't have that trust,obviously this won't work, but
it does help reduce the frictionof people logging on and
(13:47):
transferring from credentialsfrom one to the next.
It really truly does also helpminimize the overall password
reuse.
It does help immensely withthat.
I would also highly recommendthat you do, if you haven't at
this point got some sort ofpassword manager to basically
help keep any additionalpasswords that you can't
necessarily use in this format.
(14:09):
Now how SAML works.
This is basically you're aperson trying to log in.
Okay, the service provider orthe website will want to ask you
for information, like we talkedabout your school's LMS, your
cloud service, whatever.
It is the system thatauthenticates your identity,
your school's login server.
That's the identity provider,okay, okay, so you have your
(14:30):
service provider, which isproviding the service, and then
you have your identity provider.
The SAML assertion is like averified ID card, and now we
know in the United States wehave our whatever that is on
your ID.
You have the gold star, right.
They're the identity providerthat issues this card.
And then, when the serviceprovider sees this situation,
they will then trust it as andlet you in without asking any
(14:51):
more credentials.
They say, yep, that's you, youare now allowed in, and this
really makes it super nice, butthere are challenges that come
with this.
It's just imperative, though,that you understand what is the
overall ecosystem and how itworks together.
Now, simplified web SSO flow.
You have access requests.
The user's trying to access aprotected app, a protected
(15:13):
application, basically theservice provider.
You will then.
The service provider willrealize you're not logged in and
will do a redirect to yourbrowser that has the identity
providers page.
You've seen this before, whereyou're going to try to log in
and it says oh, that's, I don'tknow who you are.
At this point, I'm going topitch you off to this identity
provider or this hey, this isGoogle's authentication page.
(15:35):
You then log into the identityprovider using your username and
password, right, so?
Or, and potentially MFA, if youhave that, which I highly
recommend but you then log inwhat and?
After that occurs, and after asuccessful authentication, the
identity provider will give do aSAML assertion that verify the
verified id card, and it willsend this back to your web
(15:56):
browser saying yes, sean is whohe says he is, then you're then
redirected to the serviceprovider, which is where you
wanted to go in the first place.
That's automatically done foryou.
So once this all is provided,and once it's all attested to,
then you're basically allowedaccess in.
If for some reason it's not,then you will be denied access
(16:17):
to it at that point.
But the goal is that it'staking care of you and now it's
keeping that token that, yes,sean has logged in and it's
keeping that for a period oftime and it will.
Then, if I log into anotherapplication, that the trust is
there, that assertion will gowith it.
So what are the benefits of SAML, cross-domain single sign-on,
right?
So if you've got multiplewebsites, multiple organizations
(16:39):
, it does give you that abilityto do single sign-on across
these different locations.
It also improves the userexperience, right.
We no need to remember multiplepasswords or log in repeatedly.
It's a huge factor, right?
And the security piece of thisa centralized authentication,
scattered credentials, passwordreuse, right Avoids a lot of
that.
And especially when you get toa point where, if you're not
(17:02):
using a password manager of somekind, your password reuse is
monkey butt one, two, three andthen you get to a new location,
you go well, now it'smonkeybutt1234, with an
exclamation point, somethinglike that.
That's how it ends up happeningif you get these situations
where you're just not keepingtrack of all your credentials.
So some important otherconsiderations is web-based
(17:22):
focus, primarily designed forweb applications and
browser-based interactions.
There is some complexityrelated to it when you're doing
an initial setup and it requirescareful configuration to
establish these truss betweenthe IDPs and the SPs.
It does.
It takes someone who's skilledwith doing this, otherwise
you're just going to getfrustrated and it won't work.
So it's an imperative part ofthis that you really have good,
(17:44):
careful configurations and it isconfigured in a way that the
credentials cannot becompromised.
Kerberos Now we're into Kerberosand this is where a network
authentication protocol thatdoes provide strong
authentication for client-serverapplications using a secret key
, crypto.
So that's the Kerberos.
So it's a little bit different,but it's basically dealing with
between client to servers rightA lot of times within your
(18:06):
organization.
This allows users to provetheir identity to network
services like file servers oremail, without sending their
passwords over the network.
So you log in once and nowKerberos has got you taken care
of Now.
It was developed by MIT in the80s and its names comes from the
three-headed dog, the Greekmythology, kerberos right?
(18:27):
So it's a guard of theunderworld and it's basically
saying, yes, we have three maincomponents and because these
three main components, we aregoing to make the dog that will
keep you protected.
That's the ultimate goal ofKerberos right?
So what does it solve?
So let's just say, for example,you need to access a lot of
different services emails, files, printers, you name it right On
(18:48):
one specific network.
Well, without Kerberos, youmight have to basically send
your username and password toeach of these services over and
over again, which can be oneobviously intercepted, and two
can be extremely annoying.
So the goal of this is toprovide some level of single
sign-on experience where youprove your identity once and
then these tickets are used toaccess other services securely.
(19:09):
Now we do talk about this in thehacking side of the world.
There was the golden ticket,which, if you take your ticket,
it could then basically take inthat Kerberos authentication and
you could become that person.
Those were some vulnerabilitiesthat happened many, many years
ago on some older type systems,but it's the same concept, right
?
It's a ticket that allows youto gain access to these
(19:30):
different types of serviceswithin a single network.
Now, the core idea around thisis that it's a trusted.
It uses a trusted third party,a special specific server used
to verify your identity, andinstead of passwords, you get
these tickets to prove that whoyou are and other services.
They're like a temporary pass,the golden ticket that lets you
log into different parts of yournetwork without showing your id
(19:53):
every time.
So it's like going to disneyworld and you have your golden
ticket, your pack pass orwhatever they call that pass,
and it allows you in to all thedifferent rides.
Same kind of concept.
And this is where it's atrusted third party.
Now, how does it actually work?
So your network services youwant to access, so you've got
your client as your computer,your server that you want to get
(20:14):
access to.
Then there's another term thatyou may hear and you may see on
the CISSP exam is called keydistribution center.
Now, key distribution centersare used a lot, not just within
Kerberos, but you'll get themwithin the cloud environment.
They are something that willmaintain and manage server keys.
Now, a central Kerberos serverhas two main parts an
authentication service and aticket granting service, tgs.
(20:38):
So, authentication service, asand a ticket granting service,
tgs.
So again, the AS verifies yourlogin.
Your ticketing service gives youthe tickets, the golden tickets
, to allow you access to thespecific services.
So you like again we talkedabout there with the ticketing.
It's in a gonna be in a movie.
If you paid for the movie, youhave your ticket.
(20:58):
By walking into the movietheater, which I just went and
saw, a movie.
It now says, yes, you're beingallowed.
Now the fact is is that youcould view I don't know if you
all seen tickets in today'sworld there there are QR codes
that are on your phone.
Can those be potentially hacked?
Well, they are, but they're notas easy.
In the past you could make aticket look like the legitimate
ticket and people wouldn'treally even know.
(21:20):
You just go here's my ticket.
Let me in.
Now they get scanned.
They get all kinds of aspectsthat are done with a movie
ticket.
Same concept, right?
It can't be easily faked orreused for a different movie
because of the fact that it'susing its cryptographic
functions for that.
Now you have simplifiedauthentication flow.
What does this mean?
So you're basically, when youinitially log on, you, the
(21:42):
client enter in your usernameand password of the computer and
your computer then sends anauthentication service request
to the KDC, to your keydistribution center, the ticket
granting ticket.
If your login is correct, theauthentication server will give
your computer a specialticketing granting ticket.
Tgt, the ticketing grantingservice, will do this.
Your TGT is your proof thatyou've been authenticated to the
(22:05):
KDC.
So again, lots of acronyms.
So if you're going to go toCISSP Cyber Training, you can
actually see all the videothat's there.
You request this service ticketwhen you want access to a
specific network service.
This is where you request thisdone and the ticketing granting
service on the KDC will thensend your ticket to the TGS on
(22:26):
the KDC the service ticket thatwas out there.
The TGS then gives yourcomputer a service ticket
specifically for that fileserver.
So it then passes you sayingyes, I've authenticated you.
I'm now going to give you theservice ticket and now you can
access that specific file serverAccessing the service.
Your computer then sends theservice ticket directly to the
(22:48):
file server and the file serverthen relies or verifies that the
ticket of the KDC then grantedyour access.
So there's this back and forth.
So you get the AS gives you aTGT.
The TGT then goes to the TGS tomake sure that, yes, you are
who you say you are and thatthey agree because the KDC
verified your authentication.
The TGS then turns around andgives a service ticket.
The service ticket then is sentto this file server directly
(23:19):
and the file server thenverifies yes, sean is allowed
access and then life is good.
That is the flow.
Now the ticket granting ticketcan be intercepted and if it
didn't have those cryptographicfunctions built into it, it
could potentially be copied andreused, which there were some
vulnerabilities with that in theearly years.
Like I mentioned before, thepoint of it is Kerberos is a
complicated process that isbehind the scenes that in many
ways we don't even see it.
(23:39):
We don't see it happening, butthere's a lot of great
authentication that's occurringto ensure that Sean is exactly
who Sean says he is.
Now some of the benefits ofKerberos you have strong
security, right passwords arenever sent across the network in
their initial, after initial,login.
You have single sign-on log inonce.
Access many services.
There are some importantconsiderations time
(24:01):
synchronization all thecomputers in the Kerberos system
must have their clockssynchronized extremely close and
you'll you'll know that there'sa clock service that's set up
right or time service.
Kdc's availability.
If the KDC goes down, no onecan get new tickets, so
redundancy is crucial if you'rerelying on Kerberos, so you need
to understand time, so yourtime server.
(24:22):
And two, you need to have KDCup and available at all times.
Okay, so now we're going to getinto remote authentication,
radius and TACACs.
These are the last parts we'regoing to talk about in this
section.
So, remote authentication, sothe challenges of remote access.
As we know, after COVID, peoplenow we can.
We've more than ever.
People work anywhere,everywhere, using various
(24:43):
devices, from laptops to phones,you name it.
They have access.
You got Starlink, you are inbusiness anywhere in the globe.
The problem is how do you makesure that only authorized people
can access the resources, nomatter where they are.
They're no longer sitting in adata center somewhere.
They're actually maybe in thePhilippines, I don't know.
The point of it is how do youensure that the right people are
(25:03):
gaining access?
So a solution to this is theCentral Authentication,
authorization and Accountingsystems.
These are AAA systems.
You'll see this in the CISSP,where that's authentication,
authorization and accounting.
Authentication who are youProving your identity with the
username and password?
Authorization, what are youallowed to do, defining your
(25:26):
permissions and then accounting.
What did you do?
Keeping records of youractivity right.
It's always good to haveaccounting and audit available,
making sure that you did whatyou're supposed to do.
So when you're dealing with thesolution, it's the AAA system.
You'll hear about that.
It's authentication,authorization and accounting.
Who are you, what are youallowed to do and what did you
do when you were there?
(25:47):
Now you enter in RadissonTACACS.
Okay, so there's two mainprotocols or sets of rules that
make the centralized AAApossible.
They act as the security guardat the door of your network.
Checking IDs and permissions andunderstanding them is really a
key part of ensuring that youhave a secure, manageable
network within your organization, especially for your remote
(26:08):
access users.
So, radius this this is RemoteAuthentication Dial-In User
Service.
Yeah, dial in right.
Wow, that's a blast from thepast, but RADIUS is still used,
even though that has a lot ofconnotations from many years
gone by.
It is used in many, manyorganizations and it's designed
for network authentication.
And accounting, especially whenyou're dealing with Wi-Fi, is
(26:29):
an important part where you'lldo with RADIUS servers a lot,
and if you're connecting to acompany VPN or so forth you will
use a RADIUS server.
So how does this all work?
Well, let's say, for example,you want to connect to a network
access server, so a NAS, andthis could be done through your
Wi-Fi router, whatever you wantto be, but you want to connect
to a NAS.
The NAS asks the RADIUS serveris this user allowed in?
(26:53):
Basically with your credentials.
The RADIUS server then willcheck your identity against the
database.
That's yes, that's there, andit'll then say yes or no, yeah,
whatever it is.
I was going to say it inRussian, but I can't even
remember what the word is.
No, yes or no, it's either one,right, da?
Yeah, I think that's yes, daneat, or something like that.
(27:14):
Yeah, see, I can't even speakRussian.
I think I just watched MissionImpossible.
I should know that, right.
But the point of it is is thatit is allowing you access to
these systems.
It's used through a Radiusserver and then remote access
yes or no will be allowed intothat database, if, or that NAS
server.
If the database comes back andsays yes, you can do that.
Now some key features of theRADIUS server it uses UDP, so
(27:37):
it's fast.
It's much more fast than in theTCP connection, but it's less
reliable, right?
So it's like sending a postcard, but it could get lost, but not
typically, for sometimes, youknow.
But UDP is not necessarily onepostcard.
It's like a lot of postcards,right?
It's just it's.
You're throwing out all allkinds of stuff at you.
(27:58):
Now it combines authentication,authorization.
So when you say Radius, it saysyou're in.
It combines the authenticationand the authorization piece of
this and it grants you a levelof access to your organization.
It is widely supported.
Almost all network devices workwith RadDIUS and it's been
around for a long time.
And that's why because it is souseful.
It's great for Wi-Fiauthentications, vpns and
general network access.
(28:18):
So again, radius servers,you'll see them.
They are deployed in manydifferent formats.
So what is TACACS?
Tacacs is a Terminal AccessController, access Control
System Plus.
Right, that's a lot of words.
Tacacs, terminal AccessController, access Control
System.
You got access control in theretwice, right?
(28:39):
Well, the primary purpose ofthis is securing administrative
access to network devices suchas routers, switches, firewalls.
They will use TACACS Plus to dothis.
So how does this work?
Well, an administrator will tryto log on to a network device,
ie a router, right?
The device asks the TACACSserver is this admin allowed to
log in your authentication pieceof it when the TACACS server
(29:03):
says, yes, you're in, right.
Well, is this admin specificcommand?
That's your authorization pieceof it.
Now it's going to say yes or no, right, the server records
every command executed and itgives you that accounting piece
of it as well.
So you have authenticationsaying is this person allowed?
You have the authorization, isthat, is this admin allowed to
run this specific command?
(29:24):
And then the last part is isthis is all kept and recorded,
so again for future usepotentially.
That is the simplified versionof how TACACS works.
So some key differences,obviously, between TACACS and
RADIUS.
The features around this is itis TCP Okay, it doesn't use UDP
and it utilizes TCP One for abetter connection, guaranteed
(29:49):
delivery.
It's crucial for criticaladministrative tasks that you
need a TCP, an establishedconnection.
It separates AAA.
This is how it works is it hasauthentication, authorization
and accounting all separate anddistinct steps, not like the
other pieces where they're allbundled together in one step.
This has got them in specificsteps.
That is much better, especiallyfor dealing with managerial
(30:12):
type of activities.
It has full encryption.
The entire communication pathis encrypted, making it very
secure, obviously because you'regoing to be doing
administrative tasks.
It's got command levelauthorization allows you to
control exactly what commandsthe administrator can run on
that device so you can limitwhat this person can or cannot
do.
It's great for IT staff,network equipment and obviously
(30:33):
ensuring you have strict controlover who can make the changes
within your organization.
That is TACACS.
So again, if you're dealingwith Radius versus TACACS,
primary use of Radius usernetwork access, tacacs device
administration, that's more theadmin type of activities
Reliability, udp with RADIUS,tcp with TACACS the control
(30:56):
levels is a session levelauthorization versus the TACACS
does command level authorizationvery granular.
And then encryption is passwordonly for RADIUS and then in
TACACSx the entire payload isencrypted.
So best practices for securingyour triple a related to these
is one strong secrets.
Obviously using long uniquepasswords or shared keys for
(31:19):
both protocols is an importantpart.
Link your radius and tacxservers to a central user
database, such as activedirectory for centralized access
.
Review your logs regularly.
You should have this going intoyour sim or you should be
looking them on a regular, suchas Active Directory for
centralized access.
Review your logs regularly.
You should have this going intoyour SIM or you should be
looking them on a regular basis,especially when you're dealing
with TACACs to look for anypotential suspicious activity.
If you have an AI componentwithin your organization, allow
(31:41):
your AI activity to be able tolook at the logs associated with
both of these RADIUS and TACACs.
Redundancy always have a backupRadius and TACAC servers in the
case of one fails.
Virtualized systems are animportant part.
If you have one that's anon-prem type system, do you have
the ability to maybe roll thatto a virtual version and then
(32:01):
add MFA for an extra layer ofsecurity?
I do recommend, obviously,adding MFA to anything that you
do in any sort of protocol thatyou have out there dealing with
security.
It's an important factor in allof this is MFA is added as an
additional security tool.
Okay, these are the referenceswe have for today's lesson.
(32:22):
Thank you so much for joining metoday on CISSP Cyber Training.
I hope you guys got a lot outof this.
It's a great time together.
If you guys are spending timeon Memorial Day, enjoy your
family, enjoy what people havedone for you in this country.
If you are looking to get yourCISSP, go to CISSP Cyber
Training.
Go check out what I've got atCISSP Cyber Training.
It's awesome stuff for you.
You will love it.
(32:43):
It's incredible.
A lot of great informationthat'll help you pass the CISSP
exam the first time.
That's what we want.
We want you to pass the CISSPthe first time and move on with
your cybersecurity career.
So again, thank you so much forjoining and we will catch you
all on the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(33:04):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(33:27):
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.