Constrained User Interfaces
Constrained user interfaces restrict users’ access abilities by not allowing them to request certain functions or information, or to have access to specific system resources. Three major types of constrained user interfaces exist: menus and shells, database views, and physically constrained interfaces.
Remote Access Control Technologies
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides client/server authentication and authorization, and audits remote users.
TACACS
Terminal Access Controller Access Control System (TACACS) has been through three generations: TACACS, Extended TACACS (XTACACS), and TACACS+. TACACS combines its authentication and authorization processes; XTACACS separates authentication, authorization, and auditing processes; and TACACS+ is XTACACS with extended two-factor user authentication.
TACACS uses fixed passwords for authentication, while TACACS+ allows users to employ dynamic (onetime) passwords, which provides more protection.
RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in cleartext.TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol.
The RADIUS protocol combines the authentication and authorization functionality.
TACACS+ uses a true authentication, authorization, and accounting/audit (AAA) architecture, which separates the authentication, authorization, and accounting functionalities.
Diameter
Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks.
Diameter protocol consists of two portions. The first is the base protocol, which provides the secure communication among Diameter entities, feature discovery, and version negotiation. The second is the extensions, which are built on top of the base protocol to allow various technologies to use Diameter for authentication.
Diameter uses TCP and AVPs, and provides proxy server support.
Diameter has the functionality and ability to provide the AAA functionality for other protocols and services because it has a large AVP set.
Diameter provides the AAA functionality, as listed next.
Authentication:
-
PAP, CHAP, EAP
-
End-to-end protection of authentication information
-
Replay attack protection
Authorization:
-
Redirects, secure proxies, relays, and brokers
-
State reconciliation
-
Unsolicited disconnect
-
Reauthorization on demand
Accounting:
-
Reporting, roaming operations (ROAMOPS) accounting, event monitoring
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:5.6 访问控制手段和技术