CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CT 248: Implementing Authentication Systems (SAML, OpenID, ODIC, Kerberos, RADIUS/TACACS+) - Domain 5.6
Navigating the complex landscape of authentication frameworks is essential for any cybersecurity professional, especially those preparing for the CISSP exam. This deep-dive episode unravels the intricate world of authentication systems that protect our digital identities across multiple platforms and services.
We begin by examining OAuth 2.0 and OpenID Connect (OIDC), exploring how these token-based frameworks revolutionize third-party authentication without exposing user credentials. When you click "Login with Google," you're experiencing these protocols in action—reducing password reuse while maintaining security across digital services. Learn the difference between authorization flows and how these systems interact to verify your identity seamlessly across the web.
The podcast then transitions to Security Assertion Markup Language (SAML), breaking down how this XML-based protocol establishes trust between identity providers and service providers. Through practical examples, we illustrate how SAML enables web single sign-on capabilities across educational institutions, corporate environments, and cloud services—creating that "connective tissue" between disparate systems while enhancing both security and user experience.
Kerberos, MIT's powerful network authentication protocol, takes center stage as we explore its ticketing system architecture. Named after the three-headed dog of Greek mythology, this protocol's Authentication Service, Ticket Granting Service, and Key Distribution Center work in concert to verify identities without transmitting passwords across networks. We also discuss critical considerations like time synchronization requirements that can make or break your Kerberos implementation.
For remote authentication scenarios, we compare RADIUS and TACACS+ protocols, highlighting their distinct approaches to the AAA (Authentication, Authorization, and Accounting) framework. Discover why network administrators choose UDP-based RADIUS for general network access while preferring the TCP-based TACACS+ for granular administrative control with command-level authorization and full payload encryption.
Whether you're studying for the CISSP exam or looking to strengthen your organization's security posture, this episode provides the knowledge foundation you need to implement robust authentication systems in today's interconnected world. Visit CISSP Cyber Training for additional resources to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.
Speaker 2:Good morning everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is Memorial Day and today we are pretty excited about being able to share some great opportunities and things that are going on within CISSP, but we also want to express our gratitude for the folks that have served and died. Within our country, at least in the United States, one of the most free world countries, there's people that have given their lives and sacrificed their lives for the betterment of society. So of all that, it's an important time for us to remember these folks as our, at least in the United States. Our country would not be here if it was not for them. So Memorial Day is a pretty solemn day here in the United States. That being said, we're going to be talking about some interesting things as far as it relates to domain 5-6 of the CISSP exam, and before we get started with that, I had an article that I saw as it related to NIST. Now, one of the areas that I'm running into, as it comes down to working with different companies, is metrics. Yes, metrics are an important part of all organizations, and if you can't measure it well then how do you know you really did it. So it's an important thing that for you to, when you're thinking about how do I best protect my company, how do I, as a senior leader, help. I give information to them, and metrics is a big part. Now this came out from the National Institute of Standards and Technology here in the United States and they're introducing a new metric. Now I don't know if you all know what the Trump administration pretty much gutted a big chunk of the NIST environment, but I guess this metric was one that's made it through its way. Now they created a white paper, a technical white paper around it that was published May 19th.
Speaker 2:Now the thing about it is it talks around likely exploited vulnerabilities to help your organization determine, basically, if a product vulnerability is out there for it. Now it prioritizes those by focusing on the most likely to be exploited and it uses CVSS. So it uses your Common Vulnerability Scoring System and it's designed to look for any shortcomings with the CVSS that may not adequately reflect what's actually going on in real-world exploitation. So there is a gap, right. So there's analysis that goes on. Is it actually what's occurring out there in the real world, is it not? Now this uses a different kind of sources from threat intelligence feed, exploited databases and then real-world attack data to determine the potential likelihood that this may occur to the product that it's going after.
Speaker 2:So the interesting part is going to be is how will this actually play out? Now they've given some areas in here saying that there's a 30-day window in which it gets most of the data from Outside the 30-day window. Yeah, all bets are off. It does have some challenges related to the overall product itself and it does say that it doesn't really know how well this is all going to play out. One of the things I think down here at the bottom of the list it does talk about exploited within 30 days will not receive a score. Anything outside of that will receive a score. So actually I was mistaken when I said that, but anything outside the 30 days will get the score, but if it's within the 30 days, it will not get the score.
Speaker 2:An interesting part is just going to be I would highly recommend you go out and read the white paper as you're putting together metrics for your organization. You want to see if this is something that maybe you want to put on your radar and think about it a little bit. I think it's going to take some time as it gets flushed out within NIST and within various other entities out there security platforms that are trying to look for different vulnerabilities We'll see how it gets adopted but potentially another vulnerability or another metric that could be used to help determine how at risk your organization is. And I think, as a person who's consulting with very large companies, metrics are a big thing, but we also know that metrics are not utilized much at all. So I would highly recommend that, if you haven't gotten into metrics within your organization, start looking at some of those. Mean time to detect, mean time to respond. Some of those aspects I think will be really valuable for you to really truly understand what is the risk to your organization. So just a question, maybe a question or pose into the group if something you might be interested in and looking into.
Speaker 2:Okay, so let's move on to what we're going to talk about today. Okay, so this is domain 5.6, implementing authentication systems and all of these videos videos, again, as we talked about before, are all available on cissp, cyber training. So what is this? Open id, connect, oidc and open authorization or oauth. So what the basic context of all this is is these are standard authentication frameworks that are used for what they call token-based authentication, and this provides your user like Sean Gerber. It provides my account data to third-party services such as Google, facebook, and you've seen this a lot. When you're logging into something, it says which credentials do you wanna use? Do you wanna use Google? Do you wanna use Facebook? Some other credentials that are out there, or, if you have the username and password, that's a possibility as well. So it doesn't reveal the user account credentials to this third party, but it basically says that they are giving you the thumbs up, that you are the right person, because there's an access token that gives that specific information on to whatever company it is to authorize you. Now, this gain of this gaining of this token is called the authorization flow.
Speaker 2:Now, oauth 1.0 was released in 2007, and it was basically put together for the Twitter API. In 2010, oauth 2.0 was released, but it was not backward compatible to OAuth 1.0. So the ultimate goal, though, is we are at OAuth 2.0. Authorization flow is allowed for mobile apps, short-lived tokens and simplified signatures. You will deal with OAuth a lot in your cybersecurity world. You'll hear people talk about it all the time, and just think about it as it's your single sign-on capability to be able to transfer those, federate, those credentials from outside the organization into the organization. So it's a great tool that's available for people to be able to use.
Speaker 2:Now, oaf operations this does allow end users access to one app, to data store, to another, without re-entering your credentials, like we kind of talked about. So if you enter into I know, if I want to log into, um, we'll just say facebook. Well, facebook, something everyone but let's say, whatever website you want to go to, it will pop up. Do you want to use your google authentication or something else that allows using that one credential, so you don't have password reuse and you have that access into that overall system. Now the secure, authentic authorizations for the users who have already been authenticated does reduce the friction right. It also reduces the fact, like I just mentioned earlier, of having password reuse. Now, I don't know, we all have dealt with that. I know I have it as well, but we've all dealt with password reuse and the goal is to move away from that as much as possible. Why? Because one the passwords that we do reuse on a routine basis have been compromised. So the moment that you put a password in that's been compromised. You're now in a situation where you're automatically adding a level of, you're accepting a level of risk that you may not want to do and, as a security professional, it's imperative that you talk to your people about this to ensure that they don't have password reuse and you provide them tools to help them in this situation. But this is a great way with OAuth is that you can then have. You don't have to worry about that as much because they have been authenticated to that provider.
Speaker 2:Now, oauth 2.0 has four specific rules. It's a resource owner, and this is the user that grants access to the protected source. You have a client. It is the current application being used. You have a resource server. This is where the external application that needs to be integrated, such as your Google, your Dropbox, facebook and all those. That is what they call a resource server. And then you have your authorization server. This is responsible for authorizing resources which are allowed for access. Once you get access to the whatever that is going to be, then now what is the actual authorization you are allowed to gain access to? You can contact one server for authorization and pull resources from a separate server because of the intertwined and the federated access that these allow. Now, these supports for process flows, and we won't go into the process flows specifically, but something for you to consider is client credential flow, authorization code flow, resource owner password flow and implicit flow of a form post. So these are the different types of flows that you can gain access to utilizing OAuth and OAuth 2.0.
Speaker 2:Now, openid Connect. This was developed in 2005 as a security specification for single sign-on, and OpenID allows for authentication services and websites to exchange security details based on a standard framework than which they agreed to. Now, in 2014, this new version was named OpenID Connect or OIDC, and this is where it was created. This strengthens OAuth 2.0 because it does allow the extension or the credential exchange between the different entities, the different federated frameworks, and it does allow for interoperability, identity management and overall support. So the goal was to have end users have the ability to log in just once across different multiple resources and use the security credentials to do that.
Speaker 2:Now, potentially, it's a better way for organizations to replace their on-prem access management. I've dealt with this. What it comes down to is maybe you have a ping ID and, rather than having ping ID and then having something else, they will then opt to go to an oidc model which will work with oauth, and then you can utilize your google passwords into your organization, and it's a better way to replace your on-prem access management solutions that you may not want to have two different tools and pay for them. You may want to integrate this oidC model into your environment. Not everybody wants to do that. Some people like to have this separate ability to control some of those access. So, like in the case of Ping ID, you now, as an enterprise, would have the ability to control who gains access to what within your organization. Whereas it deals with OIDC, there's some of that restrictions, or some of that capability is restricted or pulled away from you. Now there are other ways to stop access right, but it does. It takes a little bit of that out of your hands, and so that's why some companies may or may not move down to this path.
Speaker 2:Now, oidc Connect some of the operations and how it's worked. It's currently supported by many web services Google, paypal, etc. And the main focus of this is authenticating users, and OIDC does specifically use OAuth 2.0 specifications. Okay, so it does. They're integrated in many ways. Now can you operate them both separate? Yes, but OIDC working together with OAuth 2.0 works very, very well the authentication with cryptographic signed tokens, sharing user profile information and there's other features that help resolve some of the security issues they had with OAuth 2.0 by marrying these two together. So again, oidc, oauth 2.0.
Speaker 2:Now, security assertion markup language. Now, what is SAML? So security assertion markup language, otherwise known as SAML, is an open standard for exchanging authentication and authorization data between various security domains. Now it does allow you to log into once to a website or service and then it accesses the other different websites or services that you need to log into. It's also known as web single sign-on. As an example, the military I have a place that I go and I log into that one website and that one website then will carry the credentials to multiple other military websites that I have, and so it's basically a web single sign-on capability. That would be under SAML. So SAML Connection.
Speaker 2:Now it was developed by Oasis Security Services in a committee in the early 2000s, designed specifically for web applications, and what is it? The ultimate purpose that it solves is it uses Google's workspace for email. Like, so say, you use Google Workspace for your email capability, but a separate vendor for your learning management or your LMS system and then potentially another one for career services. Without SAML, you would need to log into these separately, and so that's an important part where SAML will allow you to integrate between the two and these different web services. It solves the building of a trust relationship between the different organizations and the different login systems, because your school's login system then could tell the LMS yes, you've already logged in with the school. Now the LMS will allow you in Same with the fact is, the school will tell you with your career services. It is using that trust relationship, and it's that SAML is an important part of the overall connectivity between these, and I was with a guy the other day and he made a comment about the connective tissue. Right, so you have, your body has got connective tissue and muscles. Well, this stuff is the connective tissue that puts it all together.
Speaker 2:Now, one of the core ideas is assertions and trust, which we talked about before. Saml works by exchanging specifically formatted XML, which is your extensible markup language messages called assertions. So it's basically exchanging assertions back and forth, and this is basically a statement from one system. This is who they say they are and these are the permissions they should have, and they're telling these systems back and forth and that is what this assertion is relying on Now relies on pre-established trust between the systems involved. If you don't have that trust, obviously this won't work, but it does help reduce the friction of people logging on and transferring from credentials from one to the next. It really truly does also help minimize the overall password reuse. It does help immensely with that. I would also highly recommend that you do, if you haven't at this point got some sort of password manager to basically help keep any additional passwords that you can't necessarily use in this format.
Speaker 2:Now how SAML works. This is basically you're a person trying to log in. Okay, the service provider or the website will want to ask you for information, like we talked about your school's LMS, your cloud service, whatever. It is the system that authenticates your identity, your school's login server. That's the identity provider, okay, okay, so you have your service provider, which is providing the service, and then you have your identity provider. The SAML assertion is like a verified ID card, and now we know in the United States we have our whatever that is on your ID. You have the gold star, right. They're the identity provider that issues this card. And then, when the service provider sees this situation, they will then trust it as and let you in without asking any more credentials. They say, yep, that's you, you are now allowed in, and this really makes it super nice, but there are challenges that come with this. It's just imperative, though, that you understand what is the overall ecosystem and how it works together.
Speaker 2:Now, simplified web SSO flow. You have access requests. The user's trying to access a protected app, a protected application, basically the service provider. You will then. The service provider will realize you're not logged in and will do a redirect to your browser that has the identity providers page. You've seen this before, where you're going to try to log in and it says oh, that's, I don't know who you are. At this point, I'm going to pitch you off to this identity provider or this hey, this is Google's authentication page. You then log into the identity provider using your username and password, right, so? Or, and potentially MFA, if you have that, which I highly recommend but you then log in what and?
Speaker 2:After that occurs, and after a successful authentication, the identity provider will give do a SAML assertion that verify the verified id card, and it will send this back to your web browser saying yes, sean is who he says he is, then you're then redirected to the service provider, which is where you wanted to go in the first place. That's automatically done for you. So once this all is provided, and once it's all attested to, then you're basically allowed access in. If for some reason it's not, then you will be denied access to it at that point. But the goal is that it's taking care of you and now it's keeping that token that, yes, sean has logged in and it's keeping that for a period of time and it will. Then, if I log into another application, that the trust is there, that assertion will go with it.
Speaker 2:So what are the benefits of SAML, cross-domain single sign-on, right? So if you've got multiple websites, multiple organizations, it does give you that ability to do single sign-on across these different locations. It also improves the user experience, right. We no need to remember multiple passwords or log in repeatedly. It's a huge factor, right? And the security piece of this a centralized authentication, scattered credentials, password reuse, right Avoids a lot of that. And especially when you get to a point where, if you're not using a password manager of some kind, your password reuse is monkey butt one, two, three and then you get to a new location, you go well, now it's monkeybutt1234, with an exclamation point, something like that. That's how it ends up happening if you get these situations where you're just not keeping track of all your credentials. So some important other considerations is web-based focus, primarily designed for web applications and browser-based interactions. There is some complexity related to it when you're doing an initial setup and it requires careful configuration to establish these truss between the IDPs and the SPs. It does. It takes someone who's skilled with doing this, otherwise you're just going to get frustrated and it won't work. So it's an imperative part of this that you really have good, careful configurations and it is configured in a way that the credentials cannot be compromised.
Speaker 2:Kerberos Now we're into Kerberos and this is where a network authentication protocol that does provide strong authentication for client-server applications using a secret key, crypto. So that's the Kerberos. So it's a little bit different, but it's basically dealing with between client to servers right A lot of times within your organization. This allows users to prove their identity to network services like file servers or email, without sending their passwords over the network. So you log in once and now Kerberos has got you taken care of Now.
Speaker 2:It was developed by MIT in the 80s and its names comes from the three-headed dog, the Greek mythology, kerberos right? So it's a guard of the underworld and it's basically saying, yes, we have three main components and because these three main components, we are going to make the dog that will keep you protected. That's the ultimate goal of Kerberos right? So what does it solve? So let's just say, for example, you need to access a lot of different services emails, files, printers, you name it right On one specific network. Well, without Kerberos, you might have to basically send your username and password to each of these services over and over again, which can be one obviously intercepted, and two can be extremely annoying. So the goal of this is to provide some level of single sign-on experience where you prove your identity once and then these tickets are used to access other services securely.
Speaker 2:Now we do talk about this in the hacking side of the world. There was the golden ticket, which, if you take your ticket, it could then basically take in that Kerberos authentication and you could become that person. Those were some vulnerabilities that happened many, many years ago on some older type systems, but it's the same concept, right? It's a ticket that allows you to gain access to these different types of services within a single network. Now, the core idea around this is that it's a trusted. It uses a trusted third party, a special specific server used to verify your identity, and instead of passwords, you get these tickets to prove that who you are and other services. They're like a temporary pass, the golden ticket that lets you log into different parts of your network without showing your id every time. So it's like going to disney world and you have your golden ticket, your pack pass or whatever they call that pass, and it allows you in to all the different rides. Same kind of concept. And this is where it's a trusted third party.
Speaker 2:Now, how does it actually work? So your network services you want to access, so you've got your client as your computer, your server that you want to get access to. Then there's another term that you may hear and you may see on the CISSP exam is called key distribution center. Now, key distribution centers are used a lot, not just within Kerberos, but you'll get them within the cloud environment. They are something that will maintain and manage server keys. Now, a central Kerberos server has two main parts an authentication service and a ticket granting service, tgs. So, authentication service, as and a ticket granting service, tgs. So again, the AS verifies your login.
Speaker 2:Your ticketing service gives you the tickets, the golden tickets, to allow you access to the specific services. So you like again we talked about there with the ticketing. It's in a gonna be in a movie. If you paid for the movie, you have your ticket. By walking into the movie theater, which I just went and saw, a movie. It now says, yes, you're being allowed.
Speaker 2:Now the fact is is that you could view I don't know if you all seen tickets in today's world there there are QR codes that are on your phone. Can those be potentially hacked? Well, they are, but they're not as easy. In the past you could make a ticket look like the legitimate ticket and people wouldn't really even know. You just go here's my ticket. Let me in. Now they get scanned. They get all kinds of aspects that are done with a movie ticket. Same concept, right? It can't be easily faked or reused for a different movie because of the fact that it's using its cryptographic functions for that.
Speaker 2:Now you have simplified authentication flow. What does this mean? So you're basically, when you initially log on, you, the client enter in your username and password of the computer and your computer then sends an authentication service request to the KDC, to your key distribution center, the ticket granting ticket. If your login is correct, the authentication server will give your computer a special ticketing granting ticket. Tgt, the ticketing granting service, will do this. Your TGT is your proof that you've been authenticated to the KDC. So again, lots of acronyms. So if you're going to go to CISSP Cyber Training, you can actually see all the video that's there.
Speaker 2:You request this service ticket when you want access to a specific network service. This is where you request this done and the ticketing granting service on the KDC will then send your ticket to the TGS on the KDC the service ticket that was out there. The TGS then gives your computer a service ticket specifically for that file server. So it then passes you saying yes, I've authenticated you. I'm now going to give you the service ticket and now you can access that specific file server Accessing the service. Your computer then sends the service ticket directly to the file server and the file server then relies or verifies that the ticket of the KDC then granted your access. So there's this back and forth. So you get the AS gives you a TGT. The TGT then goes to the TGS to make sure that, yes, you are who you say you are and that they agree because the KDC verified your authentication. The TGS then turns around and gives a service ticket. The service ticket then is sent to this file server directly and the file server then verifies yes, sean is allowed access and then life is good. That is the flow.
Speaker 2:Now the ticket granting ticket can be intercepted and if it didn't have those cryptographic functions built into it, it could potentially be copied and reused, which there were some vulnerabilities with that in the early years. Like I mentioned before, the point of it is Kerberos is a complicated process that is behind the scenes that in many ways we don't even see it. We don't see it happening, but there's a lot of great authentication that's occurring to ensure that Sean is exactly who Sean says he is. Now some of the benefits of Kerberos you have strong security, right passwords are never sent across the network in their initial, after initial, login. You have single sign-on log in once.
Speaker 2:Access many services. There are some important considerations time synchronization all the computers in the Kerberos system must have their clocks synchronized extremely close and you'll you'll know that there's a clock service that's set up right or time service. Kdc's availability. If the KDC goes down, no one can get new tickets, so redundancy is crucial if you're relying on Kerberos, so you need to understand time, so your time server. And two, you need to have KDC up and available at all times.
Speaker 2:Okay, so now we're going to get into remote authentication, radius and TACACs. These are the last parts we're going to talk about in this section. So, remote authentication, so the challenges of remote access. As we know, after COVID, people now we can. We've more than ever. People work anywhere, everywhere, using various devices, from laptops to phones, you name it. They have access. You got Starlink, you are in business anywhere in the globe.
Speaker 2:The problem is how do you make sure that only authorized people can access the resources, no matter where they are. They're no longer sitting in a data center somewhere. They're actually maybe in the Philippines, I don't know. The point of it is how do you ensure that the right people are gaining access? So a solution to this is the Central Authentication, authorization and Accounting systems. These are AAA systems. You'll see this in the CISSP, where that's authentication, authorization and accounting.
Speaker 2:Authentication who are you Proving your identity with the username and password? Authorization, what are you allowed to do, defining your permissions and then accounting. What did you do? Keeping records of your activity right. It's always good to have accounting and audit available, making sure that you did what you're supposed to do. So when you're dealing with the solution, it's the AAA system. You'll hear about that. It's authentication, authorization and accounting. Who are you, what are you allowed to do and what did you do when you were there? Now you enter in Radisson TACACS. Okay, so there's two main protocols or sets of rules that make the centralized AAA possible. They act as the security guard at the door of your network.
Speaker 2:Checking IDs and permissions and understanding them is really a key part of ensuring that you have a secure, manageable network within your organization, especially for your remote access users. So, radius this this is Remote Authentication Dial-In User Service. Yeah, dial in right. Wow, that's a blast from the past, but RADIUS is still used, even though that has a lot of connotations from many years gone by. It is used in many, many organizations and it's designed for network authentication. And accounting, especially when you're dealing with Wi-Fi, is an important part where you'll do with RADIUS servers a lot, and if you're connecting to a company VPN or so forth you will use a RADIUS server.
Speaker 2:So how does this all work? Well, let's say, for example, you want to connect to a network access server, so a NAS, and this could be done through your Wi-Fi router, whatever you want to be, but you want to connect to a NAS. The NAS asks the RADIUS server is this user allowed in? Basically with your credentials. The RADIUS server then will check your identity against the database. That's yes, that's there, and it'll then say yes or no, yeah, whatever it is. I was going to say it in Russian, but I can't even remember what the word is. No, yes or no, it's either one, right, da? Yeah, I think that's yes, da neat, or something like that. Yeah, see, I can't even speak Russian. I think I just watched Mission Impossible. I should know that, right. But the point of it is is that it is allowing you access to these systems. It's used through a Radius server and then remote access yes or no will be allowed into that database, if, or that NAS server. If the database comes back and says yes, you can do that.
Speaker 2:Now some key features of the RADIUS server it uses UDP, so it's fast. It's much more fast than in the TCP connection, but it's less reliable, right? So it's like sending a postcard, but it could get lost, but not typically, for sometimes, you know. But UDP is not necessarily one postcard. It's like a lot of postcards, right? It's just it's. You're throwing out all all kinds of stuff at you. Now it combines authentication, authorization. So when you say Radius, it says you're in. It combines the authentication and the authorization piece of this and it grants you a level of access to your organization.
Speaker 2:It is widely supported. Almost all network devices work with RadDIUS and it's been around for a long time. And that's why because it is so useful. It's great for Wi-Fi authentications, vpns and general network access. So again, radius servers, you'll see them. They are deployed in many different formats.
Speaker 2:So what is TACACS? Tacacs is a Terminal Access Controller, access Control System Plus. Right, that's a lot of words. Tacacs, terminal Access Controller, access Control System. You got access control in there twice, right?
Speaker 2:Well, the primary purpose of this is securing administrative access to network devices such as routers, switches, firewalls. They will use TACACS Plus to do this. So how does this work? Well, an administrator will try to log on to a network device, ie a router, right? The device asks the TACACS server is this admin allowed to log in your authentication piece of it when the TACACS server says, yes, you're in, right. Well, is this admin specific command? That's your authorization piece of it. Now it's going to say yes or no, right, the server records every command executed and it gives you that accounting piece of it as well. So you have authentication saying is this person allowed? You have the authorization, is that, is this admin allowed to run this specific command? And then the last part is is this is all kept and recorded, so again for future use potentially. That is the simplified version of how TACACS works.
Speaker 2:So some key differences, obviously, between TACACS and RADIUS. The features around this is it is TCP Okay, it doesn't use UDP and it utilizes TCP One for a better connection, guaranteed delivery. It's crucial for critical administrative tasks that you need a TCP, an established connection. It separates AAA. This is how it works is it has authentication, authorization and accounting all separate and distinct steps, not like the other pieces where they're all bundled together in one step. This has got them in specific steps. That is much better, especially for dealing with managerial type of activities.
Speaker 2:It has full encryption. The entire communication path is encrypted, making it very secure, obviously because you're going to be doing administrative tasks. It's got command level authorization allows you to control exactly what commands the administrator can run on that device so you can limit what this person can or cannot do. It's great for IT staff, network equipment and obviously ensuring you have strict control over who can make the changes within your organization. That is TACACS. So again, if you're dealing with Radius versus TACACS, primary use of Radius user network access, tacacs device administration, that's more the admin type of activities Reliability, udp with RADIUS, tcp with TACACS the control levels is a session level authorization versus the TACACS does command level authorization very granular. And then encryption is password only for RADIUS and then in TACACSx the entire payload is encrypted.
Speaker 2:So best practices for securing your triple a related to these is one strong secrets. Obviously using long unique passwords or shared keys for both protocols is an important part. Link your radius and tacx servers to a central user database, such as active directory for centralized access. Review your logs regularly. You should have this going into your sim or you should be looking them on a regular, such as Active Directory for centralized access. Review your logs regularly. You should have this going into your SIM or you should be looking them on a regular basis, especially when you're dealing with TACACs to look for any potential suspicious activity. If you have an AI component within your organization, allow your AI activity to be able to look at the logs associated with both of these RADIUS and TACACs. Redundancy always have a backup Radius and TACAC servers in the case of one fails.
Speaker 2:Virtualized systems are an important part. If you have one that's an on-prem type system, do you have the ability to maybe roll that to a virtual version and then add MFA for an extra layer of security? I do recommend, obviously, adding MFA to anything that you do in any sort of protocol that you have out there dealing with security. It's an important factor in all of this is MFA is added as an additional security tool. Okay, these are the references we have for today's lesson.
Speaker 2:Thank you so much for joining me today on CISSP Cyber Training. I hope you guys got a lot out of this. It's a great time together. If you guys are spending time on Memorial Day, enjoy your family, enjoy what people have done for you in this country. If you are looking to get your CISSP, go to CISSP Cyber Training.
Speaker 2:Go check out what I've got at CISSP Cyber Training. It's awesome stuff for you. You will love it. It's incredible. A lot of great information that'll help you pass the CISSP exam the first time. That's what we want. We want you to pass the CISSP the first time and move on with your cybersecurity career. So again, thank you so much for joining and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
