Which of the following protocols can be used to secure an LDAP service against anonymous queries?

Option 1 : WPA
Option 2 : RADIUS
Option 3 : NTLM
Option 4 : SSO

1. WPA

Wi-Fi Protected Access (WPA) could be a security standard for users of computing devices equipped with wireless web connections. WPA was developed by the Wi-Fi Alliance to produce a lot of subtle encoding and higher user authentication than Wired Equivalent Privacy (WEP), the first Wi-Fi security standard. The new standard, that was legal by the IEEE in 2004 as 802.11i , was designed to be backward-compatible with WEP to encourage fast, simple adoption. Network security professionals were able to support WPA on several WEP-based devices with an easy firmware update.

WPA has separate modes for enterprise users and for private use. The enterprise mode, WPA-EAP, uses more stringent 802.1x authentication with the protrusile Authentication Protocols (EAP). the non-public mode, WPA-PSK, uses preshared keys for easier implementation and management among customers and tiny offices. Enterprise mode needs the employment of Associate in Nursing authentication server. WPA’s coding methodology is that the Temporal Key Integrity Protocols (TKIP). TKIP includes a per-packet intermixture operate, a message integrity check, Associate in Nursing extended formatting vector and a re-keying mechanism. WPA provides sturdy user authentication supported 802.1x and also the protrusile Authentication Protocols (EAP). WPA depends on a central authentication server, like RADIUS, to evidence every user.

Software updates that permit each server and consumer computers to implement WPA became wide out there throughout 2003. Access points (see hot spots) will operate in mixed WEP/WPA mode to support each WEP and WPA shoppers. However, mixed mode effectively provides solely WEP-level security for all users. Home users of access purposes that use solely WPA will operate in an exceedingly special home mode during which the user would like solely enter a word to be connected to the access point. The word can trigger authentication and TKIP coding.

Wi-Fi Protected Access II and also the most current security protocols

WPA2 outdated WPA in 2004. WPA2 uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). it’s supported the obligatory Advanced coding commonplace formula, that provides message credibleness and integrity verification, and it’s a lot of stronger and a lot of reliable than the first TKIP protocols for WPA.

WPA2 still has vulnerabilities; primary among those is unauthorized access to the enterprise wireless network, wherever there’s Associate in Nursing invasion of attack vector of sure Wi-Fi Protected Setup (WPS) access points. this could take the interloper many hours of conjunct effort with progressive engineering, however the threat of system compromise mustn’t be discounted. it’s counseled the WPS be disabled for every attack vector access purpose in WPA2 to discourage such threats.

Though these threats have historically, and just about solely, been directed at enterprise wireless systems, even home wireless systems will be vulnerable by weak passwords or passphrases which will build it easier for Associate in Nursing interloper to compromise those systems. Privileged accounts (such as administrator accounts) should be supported by stronger, longer passwords and every one passwords ought to be modified oftentimes.

2. RADIUS

Remote Authentication Dial-In User Service (RADIUS) could be a networking protocols, in operation on ports 1812 and 1813, that gives centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS was developed by American Revolutionary leader Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the net Engineering Task Force (IETF) standards.

RADIUS could be a client/server protocol that runs within the application layer, and might use either protocol or UDP as transport. Network access servers, the gateways that management access to a network, sometimes contain a RADIUS consumer element that communicates with the RADIUS server . RADIUS is commonly the back-end of alternative for 802.1X authentication moreover.

The RADIUS server is sometimes a background method running on a UNIX system or Microsoft Windows server.

3. NTLM

In a Windows network, nongovernmental organization (New Technology) local area network Manager (NTLM) could be a suite of Microsoft security protocols supposed to produce authentication, integrity, and confidentiality to users.NTLM is that the successor to the authentication protocol in Microsoft local area network Manager (LANMAN), Associate in Nursing older Microsoft product. The NTLM protocol suite is enforced in an exceedingly Security Support supplier, which mixes the local area network Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in an exceedingly single package. whether or not these protocols area unit used or will be used on a system is ruled by cluster Policy settings, that totally different|completely different} versions of Windows have different default settings. NTLM passwords area unit thought-about weak as a result of they will be brute-forced very simply with fashionable hardware.

NTLM could be a challenge-response authentication protocol that uses 3 messages to authenticate a consumer in an exceedingly affiliation orientating setting (connectionless is similar), and a fourth extra message if integrity is desired.

First, the consumer establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.
Next, the server responds with CHALLENGE_MESSAGE that is employed to determine the identity of the consumer.
Finally, the consumer responds to the challenge with Associate in Nursing AUTHENTICATE_MESSAGE.

The NTLM protocol uses one or each of 2 hashed word values, each of that are keep on the server (or domain controller), and that through a scarcity of seasoning area unit word equivalent, that means that if you grab the hash price from the server, you’ll evidence while not knowing the particular word. the 2 area unit the lm Hash (a DES-based operate applied to the primary fourteen chars of the word born-again to the standard eight bit laptop charset for the language), and also the nt Hash (MD4 of the insufficient endian UTF-16 Unicode password). each hash values area unit sixteen bytes (128 bits) every.

The NTLM protocol additionally uses one among 2 a method functions, looking on the NTLM version. National Trust LanMan and NTLM version one use the DES primarily based LanMan a method operate (LMOWF), whereas National TrustLMv2 uses the NT MD4 primarily based a method operate (NTOWF).

4. SSO

Single sign-on (SSO) may be a session and user authentication service that allows a user to use one set of login credentials as an example, a reputation and arcanum to access multiple applications. SSO will be employed by enterprises, smaller organizations and people to ease the management of varied usernames and passwords.

In a basic net SSO service, an agent module on the appliance server retrieves the precise authentication credentials for a personal user from a frenzied SSO policy server, whereas authenticating the user against a user repository, like a light-weight Directory Access Protocol (LDAP) directory. The service authenticates the top user for all the applications the user has been given rights to and eliminates future arcanum prompts for individual applications throughout constant session.

How single sign-on works

Single sign-on may be a united identity management (FIM) arrangement, and also the use of such a system is typically referred to as identity federation. OAuth, that stands for Open Authorization and is pronounced “oh-auth,” is that the framework that permits AN finish user’s account data to be employed by third-party services, like Facebook, while not exposing the user’s arcanum.

This graphic provides a mental image of however single sign-on works

OAuth acts as AN mediator on behalf of the top user by providing the service with AN access token that authorizes specific account data to be shared. once a user {attempts|makes AN attempt|tries} to access an application from the service supplier, the service supplier can send letter of invitation to the identity supplier for authentication. The service supplier can then verify the authentication and log the user in.

Types of SSO configurations

Some SSO services use protocols, like Kerberos, and Security Assertion terminology (SAML).

SAML is AN protrusible terminology (XML) customary that facilitates the exchange of user authentication and authorization knowledge across secure domains. SAML-based SSO services involve communications among the user, AN identity supplier that maintains a user directory and a service supplier.
In a Kerberos-based setup, once the user credentials are provided, a price tag-granting ticket (TGT) is issued. The TGT fetches service tickets for different applications the user needs to access, while not asking the user to reenter credentials.
Smart card-based SSO can raise an user to use a card holding the sign-in credentials for the primary log in. Once the cardboard is employed, the user won’t got to reenter usernames or passwords. SSO good cards can store either certificates or passwords.

Security risks and SSO

Although single sign-on may be a convenience to users, it presents risks to enterprise security. AN aggressor World Health Organization gains management over a user’s SSO credentials are granted access to each application the user has rights to, increasing the number of potential harm. so as to avoid malicious access, it’s essential that each facet of SSO implementation be as well as identity governance. Organizations may use two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to enhance security.

Advantages and downsides of SSO

Advantages of SSO embody the following:

It allows users to recollect and manage fewer passwords and usernames for every application.
It streamlines the method of linguistic communication on and exploitation applications — no ought to reenter passwords.
It lessens the prospect of phishing.
It ends up in fewer complaints or hassle concerning passwords for IT facilitate desks.

Disadvantages of SSO embody the following:

It doesn’t address sure levels of security every application sign-on might have.
If availableness is lost, then users are fast out of the multiple systems connected to the SSO.
If unauthorized users gain access, then they might gain access to over one application.

SSO vendors

There are multiple SSO vendors that are accepted. Some offer different services, and SSO is a further feature. SSO vendors embody the following:

Rippling allows users to sign on to cloud applications from multiple devices.
Avatier Identity anyplace is an SSO for manual laborer container-based platforms.
OneLogin may be a cloud-based identity and access management (IAM) platform that supports SSO.
Okta may be a tool with AN SSO practicality. Okta additionally supports 2FA and is primarily used by enterprise users.

Learn CEH & Think like hacker

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Which of the following protocols can be used to secure an LDAP service against anonymous queries?