CISSP: 11 Answers to Domain 4 Questions

Updated: Sep 15, 2020

Computers and networks emerge from the integration of communication devices, storage devices, processing devices, security devices, input devices, output devices, operating systems, software, services, data, and people.


The Communication and Network Security domain for the CISSP exam deals with topics related to network components, specifically, how they function and how they are relevant to security.



Data residing in a static form on a storage device is fairly simple to secure. As long as physical access control is maintained and reasonable logical access controls are implemented, stored files remain confidential, retain their integrity, and are available to authorised users. However, once data is used by an application or transferred over a network connection, the process of securing it becomes much more difficult.


Question #1 What important factor differentiates Frame Relay from X.25?

  • Frame Relay supports multiple PVCs over a single WAN carrier connection.

  • Frame Relay is a cell-switching technology instead of a packet-switching technology like X.25.

  • Frame Relay does not provide a Committed Information Rate (CIR).

  • Frame Relay only requires a DTE on the provider side.


Switching


When two systems (individual computers or LANs) are connected over multiple intermediary networks, the task of transmitting data packets from one to the other is a complex process. To simplify this task, switching technologies were developed.


Circuit Switching

  • Circuit switching was originally developed to manage telephone calls over the public switched telephone network.

  • A dedicated physical pathway is created between the two communicating parties.

  • Once the call is established, the links between the two parties remain the same throughout the conversation. This allows for

  • fixed or known transmission times,

  • a uniform level of quality, and

  • little or no loss of signal or communication interruptions.

  • Circuit switching grants exclusive use of a communication path to the current communication partners. Only after a session has been closed can a pathway be reused by another communication.


Packet Switching

  • Packet switching occurs when the message or communication is broken up into small segments and sent across the intermediary networks to the destination. It does not enforce exclusivity of communication pathways.

  • In relation to security, there are a few potential issues to consider:

  • A packet-switching system places data from different sources on the same physical connection. This could lend itself to

  • disclosure

  • corruption, or

  • eavesdropping.

  • Proper connection management, traffic isolation, and usually encryption, are needed to protect against shared physical pathway concerns.


Virtual Circuits (VCs)

A virtual circuit is a logical pathway or circuit created over a packet-switched network between two specific endpoints. Within packet-switching systems are two types of virtual circuits:

  • Permanent virtual circuits (PVCs)

  • It is like a dedicated leased line; the logical circuit always exists and is waiting for the customer to send data.

  • Switched virtual circuits (SVCs)

  • An SVC is more like a dial-up connection because a virtual circuit (VC) has to be created using the best paths currently available before it can be used, and then disassembled after the transmission is complete.


WAN Technologies

WAN links are used to connect distant networks, nodes, or individual devices together. This can improve communications and efficiency, but it can also place data at risk.

  • Proper connection management and transmission encryption is needed to ensure a secure connection, especially over public network links.

WAN Connection Categories

WAN links and long-distance connection technologies can be divided into two primary categories:

  • Dedicated line (leased line, point-to-point link)

  • It is definably and continually reserved for use by a specific customer

  • It is always on and waiting for traffic to be transmitted over it

  • It connects two specific endpoints and only those two endpoints

  • Examples include:



  • Nondedicated line

  • It requires a connection to be established before data transmission can occur.

  • It can be used to connect with any remote system that uses the same type of nondedicated line.

  • Examples include

  • Digital subscriber line (DSL) - ADSL, xDSL, CDSL, HDSL, SDSL, RASDSL, IDSL, VDSL

  • Integrated Services Digital Network (ISDN) - BRI, PRI


WAN Connection Technologies

Numerous WAN connection technologies are available to companies that need communication services between multiple locations and even external partners. These technologies vary in cost and throughput.

  • A WAN switch, specialised router, or border connection device provides all the interfacing needed between the network carrier service and a company's LAN.

  • The border connection device is called the channel service unit/data service unit (CSU/DSU)

  • The CSU/DCU contains data terminal equipment/data circuit-terminating equipment (DTE/DCE), which provides the actual connection point for the LAN's router (the DTE) and the WAN carrier network's switch (the DCE)



There are many types of carrier networks, or WAN connection technologies:

  • X.25 WAN Connections

  • It uses PVCs to establish specific point-to-point connections between two systems or networks.

  • It has much lower performance and throughput rates when compared to Frame Relay or ATM.


  • Frame Relay Connections

  • Like X.25, it is a packet-switching technology that also uses PVCs.

  • Unlike X.25, it supports multiple PVCs over a single WAN carrier service connection.

  • A key concept related to Frame Relay is the committed information rate (CIR) - it is the guaranteed minimum bandwidth a service provider grants to its customers.

  • It requires the use of DTE/DCE at each connection point.


  • ATM (Asynchronous transfer mode)

  • It is a cell-switching WAN communication technology - it fragments communications into fixed-length 53-byte cells. This allows it to be very efficient and offer high throughputs.

  • Frame Relay and ATM are being replaced by fibre-optic and wireless solutions.


  • SMDS (Switched Multimegabit Data Service)

  • It is a connectionless packet switching technology used to connect multiple LANs to form a metropolitan area network (MAN) or WAN.

  • It supports high-speed bursty traffic and bandwidth on demand.

  • It fragments data into small transmission cells.


  • Synchronous Digital Hierarchy (SDH) and Synchronous Optical Network (SONET)

  • These are fibre-optic high-speed networking standards.

  • The main bandwidth levels of SDH and SONET are shown below - the transmission service supports a foundational level of speed of 51.48Mbps, which supports the Synchronous Transport Signals (STS) of SDH and/or the Synchronous Transport Modules (STM) of SONET.

**The term Optical Carrier (OC) can also be substituted for STS




Answer

  • Frame Relay supports multiple PVCs over a single WAN carrier connection.

  • Frame Relay is a cell-switching technology instead of a packet-switching technology like X.25.

  • Frame Relay does not provide a Committed Information Rate (CIR).

  • Frame Relay only requires a DTE on the provider side.


Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet-switching technology that provides a Committed Information Rate (CIR), which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider-supplied DCE, which transmits the data over the network.



Question #2 During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make?

  • Continue to use LEAP. It provides better security than TKIP for WPA networks.

  • Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.

  • Continue to use LEAP to avoid authentication issues, but move to WPA2.

  • Use an alternate protocol like PEAP or EAP-TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.


Wireless Networks

Wireless networking is a popular method of connecting corporate and home systems because of the ease of deployment and relatively low cost. It has made networking more versatile than ever before. However, with this freedom come additional vulnerabilities. This section examines various wireless security issues.

  • Data emanation is the transmission of data across electromagnetic signals. Emanations occur whenever electrons move. Movement of electrons creates a magnetic field. If you can read that magnetic field, you could re-create it elsewhere in order to reproduce the electron stream. If the original electron stream was used to communicate data, then the re-created electron stream is also a re-creation of the original data. This could open the door for eavesdropping and data theft.

  • Protecting against eavesdropping and data theft requires that

  1. You must maintain physical access control over all electronic equipment

  2. You must use shielded devices and media where physical access or proximity is still possible for unauthorised personnel

  3. You should always transmit sensitive data using secure encryption protocols.


Securing Wireless Access Points (WAPs)



Wireless cells are the areas within a physical environment where a wireless device can connect to a wireless access point. Wireless cells can leak outside the secure environment and allow intruders easy access to the wireless network.


  • When you are deploying wireless networks, you should deploy WAPs configured to use infrastructure mode rather than ad hoc mode.



Ad hoc mode

  • Any two wireless networking devices (say two laptops), including two wireless NICs, can communicate without a centralised control authority.

Infrastructure mode

  • A WAP is required, wireless NICs on systems can't interact directly, and the restrictions of the WAP for the wireless network access are enforced.

  • There are several variations:

  • Stand-alone mode infrastructure - occurs when there is a WAP connecting wireless clients to each other but not to any wired resources.

  • Wired extension mode infrastructure - occurs when the WAP acts as a connection point to link the wireless clients to the wired network.

  • Enterprise extended mode infrastructure - occurs when multiple WAPs are used to connect a large physical area to the same wired network. Each WAP will use the same extended service set identifier (ESSID) so clients can roam the area while maintaining network connectivity, even while their wireless NICs change associations from one WAP to another.

  • Bridge mode infrastructure - occurs when a wireless connection is used to link two wired networks.


Securing the SSID




The term SSID (service set identifier) is of two types, namely, extended service set identifier (ESSID) and basic service set identifier (BSSID).

  • An ESSID is the name of a wireless network when a wireless base station or WAP is used - that is, in infrastructure mode.

  • The BSSID is the MAC address of the base station or WAP hosting the ESSID in order to differentiate multiple base stations supporting a single extended wireless network.

  • Independent service set identifier (ISSID) is the name of a wireless network when in ad hoc or peer-to-peer mode - that is, when a base station or WAP is not used.


If a wireless client knows the SSID, they can configure their wireless NIC to communicate with the associated WAP. Knowledge of the SSID does not always grant entry because the WAP can use numerous security features to block unwanted access.

  • The SSID is broadcast by the WAP via a special transmission called a beacon frame. This allows any wireless NIC within range to see the wireless network and make connecting as simple as possible.

  • However, this default broadcasting of the SSID should be disabled to keep the wireless network secret.

  • Even by disabling the default broadcasting of the SSID, attackers can still discover the SSID with a wireless sniffer since the SSID must still be used in transmissions between wireless clients and the WAP.

  • Instead, use WPA2 (Wi-Fi Protected Access) as a reliable authentication and encryption solution rather than trying to hide the existence of the wireless network.


...note Wi-Fi Alliance, in 2018, announced the release of WPA3 as a replacement to WPA2.


Using Secure Encryption Protocols





The IEEE 802.11 standard defines two methods that wireless clients can use to authenticate to WAPs before normal network communications can occur across the wireless link.

  • Open system authentication (OSA)

  • There is no real authentication required. As long as a radio signal can be transmitted between the client and WAP, communications are allowed.

  • Everything is transmitted in clear text, thus providing no secrecy or security.

  • Shared key authentication (SKA)

  • Some form of authentication must take place before network communications can occur.

  • Techniques include: Wired Equivalent Privacy (WEP), WPA, WPAs, etc.


Wired Equivalent Privacy (WEP)

  • It was designed to provide the same level of security and encryption on wireless networks as is found on wired or cabled networks.

  • It provides protection from packet sniffing and eavesdropping against wireless transmissions.

  • WEP uses a predefined shared secret key.

  • This key is used to encrypt packets before they transmitted over the wireless link, thus providing confidentiality protection.

  • Rather than being a typical dynamic symmetric cryptography solution, the shared key is static and shared among all wireless access points and device interfaces.

  • Knowledge or possession of the key allows encrypted communication and a rudimentary form of authentication.

  • A hash value is used to verify that received packets weren't modified or corrupted while in transit; thus WEP also provides integrity protection.

  • WEP was cracked almost as soon as it was released - WPA is an improvement over WEP in that it does not use the same static key to encrypt all communications. Instead, it negotiates a unique key set with each host.

Summary

  • WEP encryption uses Rivest Cipher 4 (RC4), a symmetric stream cipher. Due to flaws in its design and implementation of RC4, WEP is weak in several areas:

  • the use of a static common key; and

  • poor implementation of IVs (initiation vectors)


WPA (Wi-Fi Protected Access)

  • It is based on the LEAP (Lightweight Extensible Authentication Protocol) and Temporal Key Integrity Protocol (TKIP) cryptosystems and often employs a secret passphrase for authentication.

  • The use of a single static passphrase means it can easily be guessed by a brute-force attack.

  • Additionally, both the LEAP and TKIP encryption options for WPA are now crackable using a variety of cracking techniques.


Summary

  • While it is more complex than a WEP compromise, WPA no longer provides long-term reliable security.


WPA2 (Wi-Fi Protected Access 2)

  • It is an encryption scheme known as the Counter Mode Cipher Block Chaining Message Authentication Code Protocol), which is based on the AES encryption scheme.


802.1X/EAP

  • Both WPA and WPAs support the enterprise authentication known as 802.1X/EAP (Extensible Authentication Protocol).

  • 802.1X/EAP is a standard port-based network access control that ensures that clients cannot communicate with a resource until proper authentication has taken place.

  • Through its use, other techniques such as RADIUS, TACACS, certificates, smart cards, token devices, and biometrics can be integrated into wireless networks, providing techniques for both mutual and multi-factor authentication.

EAP is not a specific method for authentication; rather, it is an authentication framework. More than 40 different EAT methods of authentication are widely supported - including wireless methods of LEAP, EAP-TLS, EAP-SIM, EAP-AKA, and EAP-TTLS.


PEAP (Protected Extensible Authentication Protocol)

  • Since EAP was originally designed for use over physically isolated channels and hence assumed secured pathways, EAP is usually not encrypted.

  • PEAP encapsulates EAP methods within a TLS tunnel that provides authentication and potentially, encryption. So PEAP can provide encryption for EAP methods.


LEAP (Lightweight Extensible Authentication Protocol)

  • It is a Cisco alternative to TKIP (Temporal Key Integrity Protocol) for WPA.

  • An attack tool known as Asleap, could exploit the weak protection provided by LEAP. LEAP should be avoided when possible; use EAP-TLS as an alternative.

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)

  • It uses AES with a 128-bit key.

  • It is the preferred standard security protocol for 802.11 wireless networking.

  • No attacks to date have been successful against the AES/CCMP encryption.

Answer

  • Continue to use LEAP. It provides better security than TKIP for WPA networks.

  • Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.

  • Continue to use LEAP to avoid authentication issues, but move to WPA2.

  • Use an alternate protocol like PEAP or EAP-TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.


LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.



Question #3 Ben has connected his laptop to his tablet PC using an 802.11g connection. What wireless network mode has he used to connect these devices?

  • Infrastructure mode

  • Wired extension mode

  • Ad hoc mode

  • Stand-alone mode


  • When you are deploying wireless networks, you should deploy WAPs configured to use infrastructure mode rather than ad hoc mode.



Ad hoc mode

  • Any two wireless networking devices (say two laptops), including two wireless NICs, can communicate without a centralised control authority.

Infrastructure mode

  • A WAP is required, wireless NICs on systems can't interact directly, and the restrictions of the WAP for the wireless network access are enforced.

  • There are several variations:

  • Stand-alone mode infrastructure - occurs when there is a WAP connecting wireless clients to each other but not to any wired resources.

  • Wired extension mode infrastructure - occurs when the WAP acts as a connection point to link the wireless clients to the wired network.

  • Enterprise extended mode infrastructure - occurs when multiple WAPs are used to connect a large physical area to the same wired network. Each WAP will use the same extended service set identifier (ESSID) so clients can roam the area while maintaining network connectivity, even while their wireless NICs change associations from one WAP to another.

  • Bridge mode infrastructure - occurs when a wireless connection is used to link two wired networks.


Answer

  • Infrastructure mode

  • Wired extension mode

  • Ad hoc mode

  • Stand-alone mode


Question #4 Lauren’s and Nick’s PCs simultaneously send traffic by transmitting at the same time. What network term describes the range of systems on a network that could be affected by this same issue?

  • The subnet

  • The supernet

  • A collision domain

  • A broadcast domain

You will use numerous devices when constructing a network. Strong familiarity with these secure network components can assist you in designing an IT infrastructure that avoids single points of failure and provides strong support for availability. Two concepts that affect availability are collisions and broadcasts.

  • Collisions and collision domains

  • A collision occurs when two systems transmit data at the same time onto a connection medium that supports only a single transmission path.

  • A collision domain is a group of networked systems that could cause a collision domain if any two or more of the systems in that group transmit simultaneously. Any system outside the collision domain cannot cause a collision with any member of that collision domain.

  • Generally, collisions are something to avoid and prevent. As the number of systems in a collision domain increases the likelihood of network congestion due to an increase in collisions.


  • Broadcasts and broadcast domains

  • A broadcast occurs when a single system transmits data to all possible recipients.

  • A broadcast domain is a group of networked systems in which all other members receive a broadcast signal when one of the members of the group transmits it. Any system outside a broadcast domain would not receive a broadcast from that domain.


Answer

  • The subnet

  • The supernet

  • A collision domain

  • A broadcast domain


Question #5 Sarah is manually reviewing a packet capture of TCP traffic and finds that a system is setting the RST flag in the TCP packets it sends repeatedly during a short period of time. What does this flag mean in the TCP packet header?

  • RST flags mean “Rest.” The server needs traffic to briefly pause.

  • RST flags mean “Relay-set.” The packets will be forwarded to the address set in the packet.

  • RST flags mean “Resume Standard.” Communications will resume in their normal format.

  • RST means “Reset.” The TCP session will be disconnected.

OSI Transport Layer: TCP

Communications between computers over networks are made possible by protocols. A protocol is a set of rules and restrictions that define how data is transmitted over a network medium. In the early days of network development, many companies had their own proprietary protocols, which meant interaction between computers of different vendors was often difficult, if not impossible. In an effort to eliminate this problem, the International Organisation for Standardisation (ISO) developed the OSI (Open Systems Interconnection) Reference Model for protocols.

  • The OSI model divides networking tasks into 7 layers. Each layer is responsible for performing specific tasks or operations for the ultimate goal of supporting data exchange between computers.


The Transport layer (layer 4) is responsible for managing the integrity of a connection and controlling the session. It establishes a logical connection between two devices and provides end-to-end transport services to ensure data delivery.

  • The following protocols operate within the Transport layer:

  • Transmission Control Protocol (TCP)

  • User Datagram Protocol (UDP)

  • Sequenced Packet Exchange (SPX)

  • Secure Sockets Layer (SSL)

  • Transport Layer Security (TLS).


TCP

  • It supports full-duplex communications, is connection-oriented, and employs reliable sessions.

  • It is connection-oriented because it it employs a handshake process between systems to establish a communication session.

  • Upon completion of this handshake process, a communication session that can support data transfer between the client and server is established.



When a communication session is complete, there are two methods to disconnect the TCP session

  • Using the FIN (finish) flag

  • Each side of a conversation will transmit a FIN flagged packet once all of its data is transmitted. This triggers the opposing side to confirm with an ACK flagged packet.


  • Using the RST (reset) flag

  • Using a RST flagged packet causes an immediate and abrupt session termination.


TCP header field values:


Answer

  • RST flags mean “Rest.” The server needs traffic to briefly pause.

  • RST flags mean “Relay-set.” The packets will be forwarded to the address set in the packet.

  • RST flags mean “Resume Standard.” Communications will resume in their normal format.

  • RST means “Reset.” The TCP session will be disconnected.



Question #6 Gary is deploying a wireless network and wants to deploy the fastest possible wireless technology. Due to technical constraints, he is limited to using a 2.4 GHz option. Which one of the following wireless networking standards should he use?

  • 802.11a

  • 802.11g

  • 802.11n

  • 802.11ac

802.11 is the IEEE standard for wireless communications. Various versions (technically called amendments) of the standard have been implemented in hardware. Each version or amendment to the 802.11 standard offered slightly better throughput.




Answer

  • 802.11a

  • 802.11g

  • 802.11n

  • 802.11ac


Question #7 Chris is configuring an IDS to monitor for unencrypted FTP traffic. What ports should Chris use in his configuration?

  • TCP 20 and 21

  • TCP 21 only

  • UDP port 69

  • TCP port 21 and UDP port 21

The two primary Transport layer protocols of TCP/IP are TCP and UDP. TCP is a full-duplex connection-oriented protocol, whereas, User Data Protocol (UDP) is a simplex connectionless protocol.

  • When a communication connection is established between two systems, it is done using ports. TCP and UDP each have 65,536 ports.

  • The first 1,024 of these ports (0-1,023) are called the well-known ports or the service ports.

  • Ports 1,024 to 49151 are known as the registered software ports.

  • Ports 49152 to 65535 are known as the random, dynamic, or ephemeral ports because they are often used randomly and temporarily by clients as a source port.

Common Application Layer Protocols




Answer

  • TCP 20 and 21

  • TCP 21 only

  • UDP port 69

  • TCP port 21 and UDP port 21


Question #8 FHSS, DSSS, and OFDM all use what wireless communication method that occurs over multiple frequencies simultaneously?

  • Wi-Fi

  • Spread Spectrum

  • Multiplexing

  • Orthogonal modulation


Wireless communication employs radio waves to transmit signals over a distance. There is a finite amount of radio wave spectrum; thus, its use must be managed properly to allow multiple simultaneous uses with little or no interference.

  • The 900 MHz, 2.4 GHz, and 5 GHz frequencies are the most commonly used in wireless products because of their unlicensed categorisation. To manage the simultaneous use of the limited radio frequencies, several spectrum-use techniques were developed.

  • Spread spectrum means that communication occurs over multiple frequencies at the same time. A message is broken into pieces, and each piece is sent at the same time but using a different frequency:

Frequency Hopping Spread Spectrum (FHSS)

  • It transmits data in a series (a deviation from parallel transmissions used by other techniques) while constantly changing the frequency in use.

  • The entire range of available frequencies is employed, but only one frequency at a time is used.

Direct Sequence Spread Spectrum (DSSS)

  • It employs all the available frequencies simultaneously in parallel; thus, providing a higher rate of data throughput than FHSS.

  • It uses a special encoding mechanism known as chipping code, to allow a receiver reconstruct data even if parts of the signal were distorted because of interference.

Orthogonal Frequency-Division Multiplexing (OFDM)

  • The modulated signals are perpendicular (orthogonal) and thus do not cause interference with each other.

  • Ultimately, OFDM requires a smaller frequency set but can offer greater data throughput.

Answer

  • Wi-Fi

  • Spread Spectrum

  • Multiplexing

  • Orthogonal modulation

Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM) all use spread spectrum techniques to transmit on more than one frequency at the same time. Neither FHSS nor DHSS uses orthogonal modulation, while multiplexing describes combining multiple signals over a shared medium of any sort. Wi-Fi may receive interference from FHSS systems but doesn’t use it.



Question #9 Brian is selecting an authentication protocol for a PPP connection. He would like to select an option that encrypts both usernames and passwords and protects against replay using a challenge/response dialog. He would also like to re-authenticate remote systems periodically. Which protocol should he use?

  • PAP

  • CHAP

  • EAP

  • LEAP


Network and Protocol Security Mechanisms

TCP/IP is the primary protocol suite used on most networks and on the Internet. It has numerous security deficiencies. In an effort to improve the security of TCP/IP, many subprotocols, mechanisms, or applications have been developed to protect the confidentiality, integrity, and availability of transmitted data.


Secure Communications Protocols


IPSec

  • Internet Protocol security (IPsec) uses public key cryptography to provide encryption, access control, nonrepudiation, and message authentication.

  • The primary use of IPsec is for VPNs.

Kerberos

  • Kerberos offers a single sign-on solution for users and provides protection for logon credentials.

SSH

  • Secure Shell (SSH) can be used to encrypt numerous plaintext utilities (such as rcp, rlogin, rexec), serve as a protocol encrypter (such as with SFTP), and function as a VPN.

Signal Protocol

  • It provides end-to-end encryption for voice communications, videoconferencing, and text message services.

Secure Remote Procedure Call (S-RPC)

  • This is an authentication service and is simply a means to prevent unauthorised execution of code on remote systems.

Secure Sockets Layer (SSL)

  • This is an encryption protocol developed to protect the communications between a web server and a web browser.

  • It can be used to secure web, email, FTP, or even Telnet traffic.

  • It is a session-oriented protocol that provides confidentiality and integrity. It is deployed using a 40-bit key or 128-bit key.

  • It is superseded by TLS.

Transport Layer Security (TLS)

  • TLS functions in the same general manner as SSL, but it uses stronger authentication and encryption protocols. In addition, TLS can be used to encrypt UDP and Session Initiation Protocol (SIP) connections.

Authentication Protocols

After a connection is initially established between a remote system and a server or a network, the first activity that should take place is to verify the identity of the remote user. This activity is known as authentication.

  • There are several authentication protocols that control how the logon credentials are exchanged and whether those credentials are encrypted during transport:

Challenge Handshake Authentication Protocol (CHAP)

  • It encrypts usernames and passwords.

  • It performs authentication using a challenge-response dialogue that cannot be replayed.

  • It periodically re-authenticates the remote system throughout an established communication session to verify a persistent identity of the remote client - this activity is transparent to the user.

Password Authentication Protocol (PAP)

  • PAP transmits usernames and passwords in cleartext - it offers no form of encryption.

Extensible Authentication Protocol (EAP)

  • This is a framework for authentication instead of an actual protocol.

  • It allows customised authentication security solutions, such as supporting smart cards, tokens, and biometrics.

  • It assumes that the channel is already protected.


Answer

  • PAP

  • CHAP

  • EAP

  • LEAP

72 views0 comments