Unit2 - Subjective Questions
INT242 • Practice Questions with Detailed Answers
Distinguish between Authentication and Authorization with examples.
Authentication vs. Authorization
While often used interchangeably, these two concepts represent distinct steps in the security process.
| Feature | Authentication (Who are you?) | Authorization (What can you do?) |
|---|---|---|
| Definition | The process of verifying the identity of a user, device, or system. | The process of determining what actions, data, or resources a verified user is allowed to access. |
| Timing | Occurs first. | Occurs after successful authentication. |
| Mechanism | Validates credentials (passwords, biometrics, tokens). | Validates policies, rules, and access control lists (ACLs). |
| Data Handling | Transmits passwords or keys. | Transmits tokens or permissions attributes. |
| Example | A user logging into a PC with a username and password. | A user being allowed to read a file but not delete it. |
Analogy:
- Authentication is showing your ID card to get into a building.
- Authorization is the key card that only opens the specific office door you are assigned to.
Explain the Three Factors of Authentication (MFA) and provide an example for each.
Multi-Factor Authentication (MFA) Factors
Strong authentication usually requires combining at least two of the following three major factors:
-
Something You Know (Knowledge Factor):
- This relies on information that only the user should know.
- Examples: Passwords, PINs, answers to security questions (e.g., "What is your mother's maiden name?").
-
Something You Have (Possession Factor):
- This relies on a physical object that the user possesses.
- Examples: Smart cards, RSA SecurID hardware tokens, a mobile phone (receiving an SMS OTP), or a USB security key (YubiKey).
-
Something You Are (Inherence Factor):
- This relies on intrinsic physical or behavioral characteristics of the user.
- Examples: Fingerprint scan, retinal scan, facial recognition, or voice recognition.
Note: MFA is most effective when factors from different categories are combined (e.g., Password + Fingerprint) rather than two from the same category (e.g., Password + PIN).
Describe the Identity Management (IdM) lifecycle.
Identity Management (IdM) Lifecycle
The IdM lifecycle manages the flow of a user's digital identity from creation to deletion. It ensures the right people have the right access at the right time.
-
Provisioning (Creation):
- The initial creation of a digital identity.
- Includes creating user accounts, assigning initial privileges, and distributing credentials (e.g., HR hires an employee, IT creates an Active Directory account).
-
Maintenance/Management (Update):
- Modifying identity attributes as user roles change.
- Includes password resets, promotion (increasing privileges), or department transfers (changing access scopes).
-
Authentication & Authorization (Usage):
- The active phase where the identity is used to access resources.
- Systems verify the identity and enforce access policies.
-
Deprovisioning (Termination):
- The revocation of access and deletion/disabling of the identity.
- Crucial for security when an employee leaves the organization to prevent "orphan accounts" (dormant accounts that can be exploited).
Compare Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC).
Comparison of Access Control Models
-
Discretionary Access Control (DAC):
- Concept: The data owner (creator) decides who has access.
- Mechanism: Uses Access Control Lists (ACLs) associated with objects.
- Flexibility: High flexibility but lower security (prone to Trojan horse attacks if the owner is compromised).
- Use Case: Standard Operating Systems (Windows file permissions, Linux
chmod).
-
Mandatory Access Control (MAC):
- Concept: The operating system restricts access based on labels and security clearance. Users cannot change permissions.
- Mechanism: Labels (e.g., Top Secret, Confidential) are assigned to subjects (users) and objects (files).
- Rule: A user with clearance can access data with classification only if permitted by rules (e.g., Bell-LaPadula model).
- Use Case: Military and highly secure government systems (SELinux).
-
Role-Based Access Control (RBAC):
- Concept: Access is granted based on the user's role within the organization, not their individual identity.
- Mechanism: Users are assigned to Roles; Permissions are assigned to Roles.
- Efficiency: simplifies management in large organizations (e.g., if an employee moves to a new department, simply change their role).
- Use Case: Enterprise applications, Corporate networks.
What are Biometric False Acceptance Rate (FAR) and False Rejection Rate (FRR)? How are they related?
Biometric Performance Metrics
Biometric systems are probabilistic, meaning they calculate a similarity score rather than a perfect match.
-
False Rejection Rate (FRR) - Type I Error:
- The percentage of times the system incorrectly rejects a valid, authorized user.
- Impact: Causes user frustration and operational inefficiency.
-
False Acceptance Rate (FAR) - Type II Error:
- The percentage of times the system incorrectly accepts an unauthorized imposter.
- Impact: Serious security breach.
Relationship (Crossover Error Rate - CER):
- FAR and FRR are inversely related. If you make the system more sensitive (stricter matching):
- FAR decreases (Security increases).
- FRR increases (Convenience decreases).
- Crossover Error Rate (CER): The point where . The lower the CER, the more accurate the biometric system is considered to be.
Explain the concept of Single Sign-On (SSO) and its benefits and drawbacks.
Single Sign-On (SSO)
Definition: SSO is an authentication scheme that allows a user to log in with a single ID and password to gain access to a connected system or multiple related but independent software systems.
How it works:
- User authenticates against a central Identity Provider (IdP).
- IdP generates a token (e.g., Kerberos ticket, SAML assertion).
- This token is passed to Service Providers (applications) to grant access without asking for credentials again.
Benefits:
- User Experience: Reduces password fatigue (users memorize one strong password instead of ten weak ones).
- Efficiency: Reduces help desk calls regarding password resets.
- Speed: Faster access to applications.
Drawbacks:
- Single Point of Failure: If the SSO server goes down, no one can access any application.
- Single Point of Compromise: If an attacker steals the master SSO credential, they gain access to all linked systems.
Define Federated Identity Management.
Federated Identity Management (FIM)
Definition: FIM is an arrangement that can be made between multiple enterprises or organizations to let subscribers use the same identification data to obtain access to the networks of all enterprises in the group.
Key Concept:
It extends Single Sign-On (SSO) across organizational boundaries. It relies on a trust relationship between an Identity Provider (IdP) (who holds the user directory) and a Service Provider (SP) (who hosts the resource).
Common Protocols:
- SAML (Security Assertion Markup Language): XML-based standard for exchanging auth data.
- OAuth / OIDC (OpenID Connect): JSON-based standards often used for consumer apps (e.g., "Log in with Google").
Example: A user logging into Zoom (Service Provider) using their university Google account (Identity Provider). Zoom trusts Google to verify the user.
Explain the architecture and purpose of a DMZ (Demilitarized Zone).
Demilitarized Zone (DMZ)
Definition: A DMZ (also known as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually the Internet.
Purpose:
To add an extra layer of security to an organization's local area network (LAN). An external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.
Architecture:
- Dual Firewall Architecture:
- External Firewall: Sits between the Internet and the DMZ. Allows traffic only to specific ports (e.g., HTTP/HTTPS).
- Internal Firewall: Sits between the DMZ and the internal LAN. It is much stricter, typically allowing only specific database connections originating from the DMZ servers.
Components in a DMZ:
- Web Servers.
- Mail Servers.
- DNS Servers.
- Proxy Servers.
Security Benefit: If a web server in the DMZ is compromised, the internal firewall prevents the hacker from moving laterally into the sensitive internal corporate network.
What is Defense in Depth? Explain with layers.
Defense in Depth
Definition: Defense in Depth is an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. It is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier.
Core Principle: If one mechanism fails, another steps up immediately to thwart an attack.
The Layers (Onion Model):
- Policies, Procedures, and Awareness: Administrative controls and user training.
- Physical Security: Guards, locks, cameras to protect hardware.
- Perimeter: Firewalls, DMZ, VPNs to protect the network edge.
- Internal Network: Network segmentation (VLANs), NIDS/NIPS.
- Host: Antivirus, Host-based IPS, OS hardening, Patch management.
- Application: Input validation, secure coding practices, WAF.
- Data: Encryption (at rest and in transit), Access Control Lists (ACLs).
This approach ensures no single point of failure compromises the entire asset.
Differentiate between Packet Filtering, Stateful Inspection, and Proxy Firewalls.
Types of Firewalls
-
Packet Filtering (Stateless) Firewalls:
- Mechanism: Examines data packets in isolation based on header information (Source IP, Destination IP, Port, Protocol).
- Pros: Fast, low processing overhead.
- Cons: Low security; does not understand the context of the connection. Vulnerable to IP spoofing.
-
Stateful Inspection Firewalls:
- Mechanism: Tracks the state of active connections (e.g., TCP Handshake). It maintains a state table.
- Logic: If a packet is part of an established valid connection, it passes. If it is an unsolicited inbound packet, it is dropped.
- Pros: Better security than packet filtering.
- Cons: More processor-intensive.
-
Application Proxy Firewalls (Gateway):
- Mechanism: Acts as an intermediary. The client connects to the proxy, and the proxy connects to the server. It deep-inspects the application payload (Layer 7).
- Pros: Highest security; can detect malicious commands inside HTTP or FTP traffic.
- Cons: Slowest performance; can break some applications.
Compare IDS (Intrusion Detection System) and IPS (Intrusion Prevention System).
IDS vs. IPS
| Feature | Intrusion Detection System (IDS) | Intrusion Prevention System (IPS) |
|---|---|---|
| Function | Monitors network traffic for suspicious activity and sends alerts. | Monitors traffic and actively blocks suspicious activity. |
| Placement | Usually connected via a SPAN port or Tap (Out-of-Band). | Placed inline with the traffic flow (In-Line). |
| Action | Passive: Logs the event, alerts the admin. | Active: Drops packets, resets connections, blocks IPs. |
| Network Impact | Does not affect latency (traffic is copied). | Can introduce latency (traffic must pass through it). |
| Failure Mode | Fail-open (if IDS dies, traffic keeps flowing). | Fail-open or Fail-closed (depends on config, fail-closed stops all traffic). |
Types for both:
- Signature-based: Matches known attack patterns.
- Anomaly-based (Heuristic): Detects deviations from a "normal" baseline.
Explain IPsec and its two main modes of operation.
IPsec (Internet Protocol Security)
Definition: A suite of protocols used to secure IP communications by authenticating and encrypting each IP packet of a communication session. It operates at Layer 3 (Network Layer).
Core Protocols:
- AH (Authentication Header): Provides integrity and origin authentication but no encryption.
- ESP (Encapsulating Security Payload): Provides encryption (confidentiality), integrity, and authentication.
Modes of Operation:
-
Transport Mode:
- Scope: Only the payload (data) of the IP packet is encrypted/authenticated. The original IP header is left intact.
- Use Case: End-to-End communication (e.g., Host-to-Host). Requires both hosts to support IPsec.
-
Tunnel Mode:
- Scope: The entire IP packet (header + payload) is encrypted and encapsulated inside a new IP packet with new headers.
- Use Case: Site-to-Site VPNs (e.g., Gateway-to-Gateway). The internal IP addresses are hidden from the public network.
What are VLANs and how do they contribute to network security?
Virtual LANs (VLANs)
Definition: A VLAN is a logical grouping of devices in the same broadcast domain, regardless of their physical location on the network structure. It is configured on switches (Layer 2).
Security Benefits (Segmentation):
-
Traffic Isolation:
- Sensitive traffic (e.g., HR or Finance data) is separated from general traffic (e.g., Guest Wi-Fi).
- A user on the "Guest VLAN" cannot sniff packets or access resources on the "Finance VLAN" even if they are plugged into the same physical switch.
-
Reduced Attack Surface:
- If a host in one VLAN is compromised (e.g., by a worm), the malware is contained within that broadcast domain and cannot easily spread to other VLANs without passing through a firewall/router.
-
Access Control:
- Inter-VLAN routing allows administrators to place firewalls or ACLs between VLANs to strictly control who can talk to whom.
Describe the Zero Trust Security Model.
Zero Trust Architecture
Core Philosophy: "Never Trust, Always Verify."
Traditional security models focused on a "perimeter" (castle-and-moat)—once you were inside the network (via VPN or physical cable), you were trusted. Zero Trust assumes the network is already compromised.
Key Principles:
- Verify Explicitly: Always authenticate and authorize based on all available data points (identity, location, device health, data classification) before granting access.
- Least Privilege Access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA) policies.
- Assume Breach: Minimize blast radius and segment access. Verify end-to-end encryption.
Implementation:
- Micro-segmentation of networks.
- Strong MFA.
- Continuous monitoring of user behavior.
- Removing implicit trust based on network location (e.g., being in the office doesn't grant automatic server access).
Distinguish between Remote Access VPN and Site-to-Site VPN.
VPN Types
1. Remote Access VPN:
- Scenario: Connects individual users to a private network from a remote location (e.g., an employee working from a coffee shop connecting to the corporate office).
- Architecture: Client software is installed on the user's device (laptop/phone). The connection is established between the Client and the VPN Gateway at the office.
- Technologies: SSL/TLS (OpenVPN), IPsec (IKEv2).
2. Site-to-Site VPN:
- Scenario: Connects two entire networks together (e.g., Branch Office A connects to Head Office B).
- Architecture: The connection is established between two VPN Gateways (routers/firewalls). End users do not need special software; the routers handle the encryption transparently.
- Technologies: Primarily IPsec (Tunnel Mode).
- Benefit: Allows resources in Branch A to access resources in Head Office as if they were in the same building.
Explain the SSL/TLS Handshake process.
SSL/TLS Handshake Process
The handshake establishes a secure connection between a Client (Browser) and a Server.
-
Client Hello:
- Client sends supported SSL/TLS versions, cipher suites, and a random number ().
-
Server Hello:
- Server selects the protocol version and cipher suite, sends its digital certificate (containing Public Key ), and a random number ().
-
Verification:
- Client verifies the server's certificate with a Certificate Authority (CA).
-
Premaster Secret Exchange:
- Client generates a "Premaster Secret", encrypts it using the server's Public Key (), and sends it to the server.
-
Session Key Generation:
- Both Client and Server use the Premaster Secret, , and to mathematically generate the same Symmetric Session Key.
-
Finished:
- Client and Server send a "Finished" message encrypted with the new Session Key to verify that encryption works.
- Secure communication begins using symmetric encryption (AES, ChaCha20, etc.).
What is a Web Application Firewall (WAF) and how does it differ from a standard network firewall?
Web Application Firewall (WAF)
Definition: A security appliance (hardware or software) designed specifically to protect web applications by monitoring and filtering HTTP/HTTPS traffic between a web application and the Internet.
Differences:
| Feature | Network Firewall | Web Application Firewall (WAF) |
|---|---|---|
| OSI Layer | Layers 3 and 4 (IP/TCP). | Layer 7 (Application). |
| Focus | Port blocking, IP filtering, Packet Inspection. | HTTP/HTTPS payload analysis. |
| Protects Against | Port scanning, unauthorized network access, DoS. | SQL Injection, Cross-Site Scripting (XSS), CSRF, Cookie poisoning. |
| Context | "Is this IP allowed on Port 80?" | "Is this search query containing malicious SQL code: ' OR 1=1 --?" |
A robust security architecture requires both: the network firewall protects the server infrastructure, while the WAF protects the web application logic.
Explain the purpose of Network Access Control (NAC).
Network Access Control (NAC)
Definition: NAC is a security solution that enforces policy on devices before they are allowed to access the network nodes and resources.
Key Functions:
-
Admission Control:
- Checks the "health" of a device connecting to the network (e.g., does it have the latest antivirus? Is the OS patched?).
- If the device is unhealthy, it is moved to a "Quarantine VLAN" to be fixed.
-
Authentication & Authorization:
- Identifies the user/device (via 802.1X protocol) and assigns them to the correct VLAN (e.g., Employee vs. Guest).
-
Post-Admission Control:
- Continuously monitors connected devices for suspicious behavior.
Use Case: Preventing a personal laptop infected with malware from plugging into a corporate Ethernet jack and infecting the main servers.
Compare SSH and Telnet.
SSH vs. Telnet
Both are network protocols used for remote command-line administration of servers and network devices.
| Feature | Telnet (Teletype Network) | SSH (Secure Shell) |
|---|---|---|
| Security | Unsecure. Sends data in cleartext. | Secure. Encrypts all traffic. |
| Data Visibility | Passwords and commands can be easily sniffed by attackers using tools like Wireshark. | Data is encrypted; attackers only see garbage text. |
| Authentication | Basic username/password. | Public Key Infrastructure (PKI), Certificates, Passwords. |
| Port | Default TCP Port 23. | Default TCP Port 22. |
| Capabilities | Remote shell only. | Remote shell, Secure File Transfer (SFTP), Port Forwarding (Tunneling). |
Conclusion: Telnet is obsolete for remote management over untrusted networks. SSH must always be used.
Design a Secure Network Architecture for a web application hosting sensitive database records. Detail the placement of components.
Secure Three-Tier Architecture Design
To host a sensitive web application, a segmented architecture using a DMZ is required. This limits the attack surface.
1. Perimeter:
- Edge Router: Filters basic traffic (bogons, DDoS mitigation).
- External Firewall: Allows only ports 80 (HTTP) and 443 (HTTPS) to enter.
2. DMZ (Demilitarized Zone):
- Web Server / Load Balancer: Placed here. It is accessible from the internet.
- WAF (Web App Firewall): Placed in front of the web server to stop XSS/SQLi attacks.
- Bastion Host (Jump Box): The only server exposed to SSH from the internet (restricted IP) for admins to manage internal servers.
3. Internal Firewall:
- Separates the DMZ from the Internal Network.
- Rule: Allows traffic only from the Web Server IP to the Application Server IP on a specific port.
4. Internal Network (Trusted Zone):
- Application Server: Processes logic. Not directly accessible from the internet.
5. Database Zone (High Security):
- Database Server: Holds sensitive records.
- Placement: Deepest layer.
- Rule: Accepts connections only from the Application Server. No internet access allowed (updates managed via internal proxies).
This "Defense in Depth" ensures that if the Web Server in the DMZ is hacked, the attacker still faces another firewall and cannot directly dump the database.