1.

Define Authentication
- Authentication can be defined in two contexts.
- Regarding access control, authentication is the verification of the credential
s to ensure that they are genuine and not fabricated.
- Other access control terms include: identification, authorization, and access.
- Authentication can also be viewed as one of three key elements in security: au
thentication, authorization, and accounting, known as AAA ("triple A").
- Authentication in AAA provides a way of identifying a user, typically by havin
g them enter a valid password before granting access.
- AAA servers, which are servers dedicated to performing AAA functions, can prov
ide significant advantages in a network.

2. Describe the different types of authentication credentials

- Although passwords are the most common form of authentication credentials (bas
ed on what a person knows), there are several other types for computer users. Th
ese include one-time passwords, standard biometrics, behavioral biometrics, and
cognitive biometrics.
- A growing trend is to move away from static passwords to dynamic passwords tha
t change frequently. These are known as one-time passwords (OTP).
- Systems using OTPs generate a unique password on demand that is not reusable.
- There are several types of OTPs, the most common type is a time-synchronized O
TP.
- In addition to time-synchronized OTPs, challenge-based OTPs are also used.
- Standard biometrics uses a person's unique characteristics for authentication
(what he is), such as fingerprints, faces, hands, irises, and retinas.
- Behavioral biometrics authenticates by normal actions that the user performs.
- Three of the most promising behavioral biometrics are keystroke dynamics, voic
e recognition, and computer footprinting.
- The field of cognitive biometrics is related to the perception, thought proces
s, and understanding of the user.
- One example of cognitive biometrics is based on a life experience that the use
r remembers. Another example of cognitive biometrics requires the user to identi
fy specific faces.

3. List and explain the authentication models

The authentication models include single and multifactor authentication and sing
le sign-on.
Using only one authentication credential, such as requiring a user to enter a pa
ssword (what a person knows), is known as one-factor authentication.
Two-factor authentication, such as using an OTP (what a person has) and a passwo
rd (what a person knows), enhances security, particularly if different types of
authentication methods are used.
Three-factor authentication requires that a user present three different types o
f authentication credentials.
Identity management is using a single authenticated ID to be shared across multi
ple networks.
When those networks are owned by different organizations, it is called federated
identity management (FIM).
One application of FIM is called single sign-on (SSO), or using one authenticati
on to access multiple accounts or applications.
Windows Live ID was originally introduced in 1999 as .NET Passport. It was known
as Microsoft Passport Network before its name was changed to Windows Live ID in
2006.
Windows CardSpace is a feature of Windows that is intended to provide users with
 control of their digital identities while helping them to manage privacy.
OpenID is a decentralized open source FIM that does not require specific softwar
e to be installed on the desktop.

4. Define authentication servers

The most common type of authentication and AAA servers are RADIUS, Kerberos, TAC
ACS+, and generic servers built on the Lightweight Directory Access Protocol (LD
AP).
RADIUS, or Remote Authentication Dial in User Service, was developed in 1992 and
quickly became the industry standard with widespread support across nearly all
vendors of networking equipment.
RADIUS is suitable for what are called "high-volume service control applications
" such as dial-in access to a corporate network.
Kerberos is an authentication system developed by the Massachusetts Institute of
Technology (MIT) and used to verify the identity of networked users.
Similar to RADIUS, Terminal Access Control Access Control System (TACACS+) is an
industry standard protocol specification that forwards username and password in
formation to a centralized server.
The International Organization for Standardization (ISO) created a standard for
directory services known as X.500.
The purpose of the X.500 standard was to standardize how the data was stored so
that any computer system could access these directories.
The X.500 standard defines a protocol for a client application to access an X.50
0 directory called the Directory Access Protocol (DAP). However, the DAP is too
large to run on a personal computer.
The Lightweight Directory Access Protocol (LDAP), sometimes called X.500 Lite, i
s a simpler subset of DAP.

5. Describe the different extended authentication protocols

The management protocol of IEEE 802.1x that governs the interaction between the
system, authenticator, and RADIUS server is known as the Extensible Authenticati
on Protocol (EAP).
EAP is an "envelope" that can carry many different kinds of exchange data used f
or authentication, such as a challenge/response or OTP.
The EAP protocols that exist today can be divided into three categories: authent
ication legacy protocols, EAP weak protocols, and EAP strong protocols.
- Three authentication legacy protocols include:
--Password Authentication Protocol (PAP)
--Challenge-Handshake Authentication Protocol (CHAP)
--Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
- EAP weak protocols include:
--Extended Authentication Protocol-MD5 (EAP-MD5)
--Lightweight EAP (LEAP)
- EAP strong protocols include:
--EAP with Transport Layer Security (EAP-TLS)
--EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)

6. Explain how a virtual private network functions

Remote Access Services (RAS) refers to any combination of hardware and software
that enables access to remote users to a local internal network.
One of the most common types of RAS is a virtual private network (VPN).
A VPN uses an unsecured public network, such as the Internet, as if it were a se
cure private network.
There are two common types of VPNs.
A remote-access VPN or virtual private dial-up network (VPDN) is a user-to-LAN c
onnection used by remote users.
The second type is a site-to-site VPN, in which multiple sites can connect to ot
her sites over the Internet.
VPN transmissions are achieved through communicating with endpoints.
Depending upon the type of endpoint that is being used, client software may be r
equired on the devices that are connecting to the VPN.
VPNs can be software-based or hardware-based.
Software-based VPNs offer the most flexibility in how network traffic is managed
.
Hardware-based VPNs are more secure, have better performance, and can offer more
flexibility than software-based VPNs.